[x500standard] Re: User certificates

From: "David A. Cooper" <david.cooper@xxxxxxxx>
To: Bill Russell <brussell@xxxxxxxxxxxx>
Date: Tue, 24 Mar 2009 09:37:17 -0700

Bill,

Here is the definition from X.509:

A user may obtain one or more public-key certificates from one or more CAs. The userCertificate attribute type contains the public-key certificates a user has obtained from one or more CAs.

So, it cannot be used to hold attribute certificates. There is a separate set of attributes to hold attribute certificates. For example, attributeCertificateAttribute:

The [attributeCertificateAttribute] contains attribute certificates issued to a specific holder and is stored in the directory entry of that holder.

But, I am surprised to hear that most applications assume only one certificate in the userCertificate attribute. In most directory entries that I see for end users, there are two certificates in the userCertificate attribute: a digital signature certificate and a key management certificate.

Dave

Bill Russell wrote:

I believe the directory attribute userCertificate is a multivalue attribute. I see no reason why it cannot be used to store an attribute certificate. However, some applications may get confused. I think in practice, most apps assume only one certificate in the userCertificate.

The term "user" has proved ambiguous; so, I'd agree that there would be some value in defining it. However, I would not define it to exclude attribute certificates.

----- www.x500standard.com: The central source for information on the X.500 Directory Standard.

Follow-Ups:
- [x500standard] Re: User certificates
  - From: Bill Russell

References:
- [x500standard] User certificates
  - From: Erik Andersen
- [x500standard] Re: User certificates
  - From: Bill Russell

[x500standard] Re: User certificates

Other related posts: