From: "Arne Jørgensen" <arne@arnested.dk>
Cc: ding@gnus.org, Simon Josefsson <simon@josefsson.org>
Subject: Re: ldap cert retrieval and pem encoding
Date: Sat, 28 May 2005 13:30:28 +0200 [thread overview]
Message-ID: <874qcnh9kb.fsf@arnested.dk> (raw)
In-Reply-To: <zf.upnacmgpso3.fsf@zeitform.de> (Ulf Stegemann's message of "Fri, 27 May 2005 17:58:20 +0200")
Ulf Stegemann <ulf@zeitform.de> skriver:
> Arne Jørgensen <arne@arnested.dk> wrote:
>
>> Was this with or without the patch i posted here some weeks ago?
>> <http://article.gmane.org/gmane.emacs.gnus.general/60203>
>
> I tried it only with the patch.
OK. Then the world makes sense again.
>> I've read somewhere that certificates published via LDAP _should_
>> always be in DER format. But your LDAP server is probably not the only
>> server out there delivering in PEM format so we should maybe support
>> this anyway.
>>
>> Is there some way to identify that the certificate is in PEM format?
>
> The only way to tell if the certificate is PEM encoded is to look at the
> certificate itself ...
>
>> Could you try to issue a command line like:
>>
>> ldapsearch -x -t -h LDAPSERVER -b SEARCHBASE "mail=your@address.com" "userCertificate"
>>
>> and have a look at whether the userCertificate attribute is reported
>> as userCertificate or userCertificate;binary?
>
> ... as every certificate is delivered as userCertificate;binary and no other
> field indicates the kind of encoding.
>
>> And look whether the retrieved certificate contains the PEM header and
>> footer? (-----BEGIN CERTIFICATE-----)
>
> Certificates from the ldap do contain the '-----BEGIN CERTIFICATE-----' and
> '-----END CERTIFICATE-----' lines.
>
> I do not know what's the intend of the guys running the ldap server to store
> certificates in different encodings. I was asked to provide my certificate
> PEM encoded but I presume that the encoding demanded is dependent on the
> ldap admin I talk to.
>
> Anyway, the main purpose for the ldap provided certificates is to allow
> Outlook users (and to a lesser degree Mozilla Mail/Thunderbird users) to
> encrypt/verify mail. Therefore, I think that any certificate recognized by
> Outlook --- may it be DER or PEM encoded, may it be with or without
> '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' lines, may it
> be as userCertificate or userCertificate;binary -- will possibly appear in
> ldap servers out there. I think it would be useful to know which kind of
> data Outlook (Mozilla Mail/Thunderbird) could handle to find out what could
> happen in the wild. However, I'm not familiar with Outlook and will
> most likely never be. Someone else?
I have no idea what Outlook expects either.
What we could do in Gnus is:
1. If it contains "-----BEGIN CERTIFICATE-----" it is in PEM-format.
2. Otherwise try to base64-decode it and if that succeeds also assumed
it is in PEM-format.
3. Finally decide it must be in DER-format.
This shouldn't be difficult to implement. I have time make an
implementation on Tuesday.
Kind regards,
--
Arne Jørgensen <http://arnested.dk/>
next prev parent reply other threads:[~2005-05-28 11:30 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2005-05-24 10:02 Ulf Stegemann
2005-05-24 14:18 ` Simon Josefsson
2005-05-26 22:31 ` Arne Jørgensen
2005-05-26 22:31 ` Arne Jørgensen
2005-05-27 15:58 ` Ulf Stegemann
2005-05-28 11:30 ` Arne Jørgensen [this message]
2005-05-28 11:53 ` Simon Josefsson
2005-05-30 8:39 ` Ulf Stegemann
2005-05-30 8:48 ` Arne Jørgensen
2005-05-31 9:33 ` Arne Jørgensen
2005-05-31 11:21 ` Ulf Stegemann
2005-05-31 11:29 ` Simon Josefsson
2005-05-31 11:48 ` Reiner Steib
2005-05-31 12:59 ` Arne Jørgensen
2005-05-31 12:01 ` Ulf Stegemann
2005-05-31 12:07 ` Simon Josefsson
2005-05-31 12:57 ` Arne Jørgensen
2005-05-31 13:13 ` Simon Josefsson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=874qcnh9kb.fsf@arnested.dk \
--to=arne@arnested.dk \
--cc=ding@gnus.org \
--cc=simon@josefsson.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).