From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/60362 Path: news.gmane.org!not-for-mail From: Arne =?utf-8?Q?J=C3=B8rgensen?= Newsgroups: gmane.emacs.gnus.general Subject: Re: ldap cert retrieval and pem encoding Date: Sat, 28 May 2005 13:30:28 +0200 Organization: Arne Joergensen -- http://arnested.dk/ Message-ID: <874qcnh9kb.fsf@arnested.dk> References: <87wtpkbzyz.fsf@arnested.dk> NNTP-Posting-Host: main.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-Trace: sea.gmane.org 1117280366 24827 80.91.229.2 (28 May 2005 11:39:26 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Sat, 28 May 2005 11:39:26 +0000 (UTC) Cc: ding@gnus.org, Simon Josefsson Original-X-From: ding-owner+M8889@lists.math.uh.edu Sat May 28 13:39:24 2005 Return-path: Original-Received: from malifon.math.uh.edu ([129.7.128.13]) by ciao.gmane.org with esmtp (Exim 4.43) id 1Dbzer-0000yN-GQ for ding-account@gmane.org; Sat, 28 May 2005 13:39:14 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu ident=lists) by malifon.math.uh.edu with smtp (Exim 3.20 #1) id 1DbzWi-0000N0-00; Sat, 28 May 2005 06:30:48 -0500 Original-Received: from util2.math.uh.edu ([129.7.128.23]) by malifon.math.uh.edu with esmtp (Exim 3.20 #1) id 1DbzWX-0000Ms-00 for ding@lists.math.uh.edu; Sat, 28 May 2005 06:30:37 -0500 Original-Received: from quimby.gnus.org ([80.91.224.244]) by util2.math.uh.edu with esmtp (Exim 4.30) id 1DbzWW-000752-GR for ding@lists.math.uh.edu; Sat, 28 May 2005 06:30:36 -0500 Original-Received: from daimi.au.dk ([130.225.16.1]) by quimby.gnus.org with esmtp (Exim 3.35 #1 (Debian)) id 1DbzWV-0008Ot-00 for ; Sat, 28 May 2005 13:30:35 +0200 Original-Received: from localhost (213.237.94.152.sdsl.vbr.worldonline.dk [213.237.94.152] (may be forged)) (authenticated bits=0) by daimi.au.dk (8.12.11/8.12.11) with ESMTP id j4SBUUIb020786; Sat, 28 May 2005 13:30:31 +0200 Original-To: Ulf Stegemann X-Face: 5t,7/Y$&<1A_t.$vC2{pWZ{m@3_06;kcm]no{hgEL/}Uz(>XV6cl4}xO\v?-h3%>znNaZtq `~rf,GY1T%r=a.zH`hOb(-]'x)nI088Z&|e;V^h;/TShou In-Reply-To: (Ulf Stegemann's message of "Fri, 27 May 2005 17:58:20 +0200") User-Agent: Gnus/5.110004 (No Gnus v0.4) Emacs/22.0.50 (gnu/linux) X-DAIMI-Spam-Score: 0 () X-Scanned-By: MIMEDefang 2.51 on 130.225.16.1 X-Spam-Score: -4.9 (----) Precedence: bulk Original-Sender: ding-owner@lists.math.uh.edu Xref: news.gmane.org gmane.emacs.gnus.general:60362 X-Report-Spam: http://spam.gmane.org/gmane.emacs.gnus.general:60362 Ulf Stegemann skriver: > Arne J=C3=B8rgensen wrote: > >> Was this with or without the patch i posted here some weeks ago? >> > > I tried it only with the patch. OK. Then the world makes sense again. >> I've read somewhere that certificates published via LDAP _should_ >> always be in DER format. But your LDAP server is probably not the only >> server out there delivering in PEM format so we should maybe support >> this anyway. >> >> Is there some way to identify that the certificate is in PEM format? > > The only way to tell if the certificate is PEM encoded is to look at the > certificate itself ... > >> Could you try to issue a command line like: >> >> ldapsearch -x -t -h LDAPSERVER -b SEARCHBASE "mail=3Dyour@address.com" "= userCertificate" >> >> and have a look at whether the userCertificate attribute is reported >> as userCertificate or userCertificate;binary? > > ... as every certificate is delivered as userCertificate;binary and no ot= her > field indicates the kind of encoding. > >> And look whether the retrieved certificate contains the PEM header and >> footer? (-----BEGIN CERTIFICATE-----) > > Certificates from the ldap do contain the '-----BEGIN CERTIFICATE-----' a= nd > '-----END CERTIFICATE-----' lines. > > I do not know what's the intend of the guys running the ldap server to st= ore > certificates in different encodings. I was asked to provide my certifica= te > PEM encoded but I presume that the encoding demanded is dependent on the > ldap admin I talk to. > > Anyway, the main purpose for the ldap provided certificates is to allow > Outlook users (and to a lesser degree Mozilla Mail/Thunderbird users) to > encrypt/verify mail. Therefore, I think that any certificate recognized = by > Outlook --- may it be DER or PEM encoded, may it be with or without > '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' lines, may = it > be as userCertificate or userCertificate;binary -- will possibly appear in > ldap servers out there. I think it would be useful to know which kind of > data Outlook (Mozilla Mail/Thunderbird) could handle to find out what cou= ld > happen in the wild. However, I'm not familiar with Outlook and will > most likely never be. Someone else? I have no idea what Outlook expects either. What we could do in Gnus is: 1. If it contains "-----BEGIN CERTIFICATE-----" it is in PEM-format. 2. Otherwise try to base64-decode it and if that succeeds also assumed it is in PEM-format. 3. Finally decide it must be in DER-format. This shouldn't be difficult to implement. I have time make an implementation on Tuesday. Kind regards, --=20 Arne J=C3=B8rgensen