[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Issues in LDAP schema IDs
Michael Ströder Wrote:
>
> David Chadwick wrote:
> >
> > Peter and I have resolved all the issues described at the PKIX meeting
> > today, apart from one, which is what should be the attribute type to be
> > used to hold the X.509 DER encoded attribute. Should it be the original
> > attribute type name e.g. userCertificate or a new attribute whose schema
> > says it must be single valued.
>
> I'd strongly argue for back-wards compability with existing clients
> => userCertificate
>
> Off course there should be a directory profiling note stating that there
> MUST NOT more than one attribute value to be compliant. The caveat is
> off-course that the directory can't enforce the SINGLE-VALUE restriction by
> schema definition.
>
My concern is a CA may support dual key pairs for a single EE. One key pair
is for digital signature usage; the other key pair is for encipherment usage. A
CA
may even support triple key pairs for a single EE if non-repudiation usage is to
be
separated from digital signature usage. Therefore, a CA may issues two or three
certificates to an EE at a time. If the attribute is restricted to be single
valued, how
do these certificates be stored in the directory?
-----
Wen-Cheng Wang
Project Researcher
Telecommunication Laboratories
Chunghwa Telecom Co., Ltd