From mboxrd@z Thu Jan 1 00:00:00 1970 X-Msuck: nntp://news.gmane.io/gmane.emacs.gnus.general/60356 Path: news.gmane.org!not-for-mail From: Ulf Stegemann Newsgroups: gmane.emacs.gnus.general Subject: Re: ldap cert retrieval and pem encoding Date: Fri, 27 May 2005 17:58:20 +0200 Organization: Message-ID: References: <87wtpkbzyz.fsf@arnested.dk> NNTP-Posting-Host: main.gmane.org Mime-Version: 1.0 Content-Type: text/plain; charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable X-Trace: sea.gmane.org 1117209593 28731 80.91.229.2 (27 May 2005 15:59:53 GMT) X-Complaints-To: usenet@sea.gmane.org NNTP-Posting-Date: Fri, 27 May 2005 15:59:53 +0000 (UTC) Cc: ding@gnus.org, Simon Josefsson Original-X-From: ding-owner+M8883@lists.math.uh.edu Fri May 27 17:59:51 2005 Return-path: Original-Received: from malifon.math.uh.edu ([129.7.128.13]) by ciao.gmane.org with esmtp (Exim 4.43) id 1DbhF9-0005os-8R for ding-account@gmane.org; Fri, 27 May 2005 17:59:27 +0200 Original-Received: from localhost ([127.0.0.1] helo=lists.math.uh.edu ident=lists) by malifon.math.uh.edu with smtp (Exim 3.20 #1) id 1DbhEY-0005gL-00; Fri, 27 May 2005 10:58:50 -0500 Original-Received: from util2.math.uh.edu ([129.7.128.23]) by malifon.math.uh.edu with esmtp (Exim 3.20 #1) id 1DbhES-0005gG-00 for ding@lists.math.uh.edu; Fri, 27 May 2005 10:58:44 -0500 Original-Received: from quimby.gnus.org ([80.91.224.244]) by util2.math.uh.edu with esmtp (Exim 4.30) id 1DbhER-0002BJ-91 for ding@lists.math.uh.edu; Fri, 27 May 2005 10:58:43 -0500 Original-Received: from guildenstern.zeitform.de ([146.140.212.220]) by quimby.gnus.org with esmtp (Exim 3.35 #1 (Debian)) id 1DbhEH-0003yL-00 for ; Fri, 27 May 2005 17:58:33 +0200 Original-Received: (qmail 3056 invoked by uid 89); 27 May 2005 15:58:24 -0000 Original-Received: by simscan 1.0.8 ppid: 3048, pid: 3051, t: 3.5279s scanners: attach: 1.0.8 clamav: 0.85.1/m:31/d:897 spam: 3.0.3 Original-Received: from host1914.igd.fhg.de (HELO naos.igd.fhg.de) (146.140.8.122) by guildenstern.zeitform.de with (DHE-RSA-AES256-SHA encrypted) SMTP; 27 May 2005 15:58:21 -0000 Original-Received: by naos.igd.fhg.de (Postfix, from userid 6852) id ED8094F517; Fri, 27 May 2005 17:58:20 +0200 (CEST) Original-To: Arne =?iso-8859-1?Q?J=F8rgensen?= In-Reply-To: <87wtpkbzyz.fsf@arnested.dk> (Arne =?iso-8859-1?Q?J=F8rgensen?= =?iso-8859-1?Q?'s?= message of "Fri, 27 May 2005 00:31:14 +0200") X-Request-PGP: http://ulf.zeitform.de/GnuPG/ulf_stegemann.key.asc X-PGP-KeyID: 8862250A OpenPGP: id=0x8862250A (short key ID); algo=17 (DSA); size=1024 (bits); created=876873600 (1997-10-15); url=http://ulf.zeitform.de/GnuPG/ulf_stegemann.key.asc X-Campaign: Campaign against senseless mail headers X-Shakespeare: "If you can look into the seeds of time, And say which grain will grow and which will not, Speak then to me, who neither beg nor fear Your favors nor your hate." -- Macbeth, I.3.61-64 Face: iVBORw0KGgoAAAANSUhEUgAAADAAAAAwBAMAAAClLOS0AAAAHlBMVEX7/f+QUDb08/7eycDX iWbm4u35+//5+f8mFQjvrYvCO0bGAAACWklEQVR4nGWTMW/bMBCFr2hBzlcziDxWqes5cYw2o2AC gbbWgYFm00SthIOKs2AX4OpGC/9t30lqLbcngDDu0717d7QoBOdC7VRFVFfkHOEgpwP5pnGNRtoT KUBBYJqQUQ6nQqVSrqo8NaSVJ1VpRfIQLVaru/4HkQsE7vFoTd8iYvaJHIochCtHIqg/xj4O1CiF /tKTKFT6JRtAfNTyvkKu19RfIjMLbL2vgkaJ9mhEb2NbpnQScg0VFUgHH1ztP0ROiA7kACtwpR0m CP62NQLSiWP82mAZhLnqOoSC50g/pGSL7FHVAK52NRpxC/C6SkLew2mNtQVH9Y+MyzREV8y8142s Ent7iVzaAVhrmtrXBFOId4MpvG8BQo0RkG9CeDOaEsIsr5IcYf+9NzVIcSsq5EXq/sTpDI7nCuiK epm61DEfQliOAFn452gsTv55rkinMllZoGG2xfUA9jg7lsE4a1OG7X+eVPRjQwWg7d0GWsJs/jA6 KgEiI7XMKSyX+/As2VfBuETOwx5gD5Df/J0C9ztf5giSYwQyiCl4lk9A0Y8MYC3/mgIrducntsby Nr+U6rCVjLkw+QQ89/subdby2GIEMkFXQB9xNQE3/etIYna+G8EiX+zuS7nRoYC3Y/NbnrHtdbp+ 5/Ptdrtb7BYkf3BTdmwGMb7aDdGDY4lVjFLrKWhLXIaRnRRmNwWxxF0YOLbF5hLMrc1gASXrS3AE iNJls77oESMa4+rYrBDrKcBS5bY3qyF2T08jaAGwwNU5RiCfbOQ4+x+0/cd8fHjd/AOEiIn0B/wG bMZsFFIv2QgAAAAASUVORK5CYII= X-Hashcash: 1:20:050527:arne@arnested.dk::bmWwRg8Zz3iWg7qX:0000000000000000000000000000000000000000000000yZm X-Hashcash: 1:20:050527:ding@gnus.org::ZiFx7x3a5fJSs3/Y:00000rEh X-Hashcash: 1:20:050527:simon@josefsson.org::NFeyPgVLPeRWvKeR:0000000000000000000000000000000000000000001FTX User-Agent: Gnus/5.110004 (No Gnus v0.4) XEmacs/21.4.17 (linux) X-Spam-Contact: Please contact postmaster@zeitform.de if spam detection is wrong X-Spam-Checker-Version: SpamAssassin 3.0.3-zeitform_3.01 (2005-04-27) on guildenstern.zeitform.de X-Spam-Level: X-Spam-Status: No, score=-2.4 required=7.0 tests=AWL,BAYEES_00 autolearn=ham version=3.0.3-zeitform_3.01 X-Spam-Score: -4.9 (----) Precedence: bulk Original-Sender: ding-owner@lists.math.uh.edu Xref: news.gmane.org gmane.emacs.gnus.general:60356 X-Report-Spam: http://spam.gmane.org/gmane.emacs.gnus.general:60356 Arne J=F8rgensen wrote: > Ulf Stegemann writes: > >> XEmacs 21.4 (patch 17) "Jumbo Shrimp" [Lucid] (i686-pc-linux, Mule),=20 >> No Gnus v0.4 >> >> The ldap server I use stores s/mime certificates either in DER or in PEM >> format. smime-ldap retrieves only DER encoded certificates correctly. = PEM >> encoded certificates are fetched, too, but the resulting tmp file/buffer= does >> not contain the correct cert only something that looks like a cert. [...] > Was this with or without the patch i posted here some weeks ago? > I tried it only with the patch. > I've read somewhere that certificates published via LDAP _should_ > always be in DER format. But your LDAP server is probably not the only > server out there delivering in PEM format so we should maybe support > this anyway. > > Is there some way to identify that the certificate is in PEM format? The only way to tell if the certificate is PEM encoded is to look at the certificate itself ... > Could you try to issue a command line like: > > ldapsearch -x -t -h LDAPSERVER -b SEARCHBASE "mail=3Dyour@address.com" "u= serCertificate" > > and have a look at whether the userCertificate attribute is reported > as userCertificate or userCertificate;binary? ... as every certificate is delivered as userCertificate;binary and no other field indicates the kind of encoding. > And look whether the retrieved certificate contains the PEM header and > footer? (-----BEGIN CERTIFICATE-----) Certificates from the ldap do contain the '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' lines. I do not know what's the intend of the guys running the ldap server to store certificates in different encodings. I was asked to provide my certificate PEM encoded but I presume that the encoding demanded is dependent on the ldap admin I talk to. Anyway, the main purpose for the ldap provided certificates is to allow Outlook users (and to a lesser degree Mozilla Mail/Thunderbird users) to encrypt/verify mail. Therefore, I think that any certificate recognized by Outlook --- may it be DER or PEM encoded, may it be with or without '-----BEGIN CERTIFICATE-----' and '-----END CERTIFICATE-----' lines, may it be as userCertificate or userCertificate;binary -- will possibly appear in ldap servers out there. I think it would be useful to know which kind of data Outlook (Mozilla Mail/Thunderbird) could handle to find out what could happen in the wild. However, I'm not familiar with Outlook and will most likely never be. Someone else? Ulf