Bill, Here is the definition from X.509: A user may obtain one or more public-key certificates from one or more CAs. The userCertificate attribute type contains the public-key certificates a user has obtained from one or more CAs.So, it cannot be used to hold attribute certificates. There is a separate set of attributes to hold attribute certificates. For example, attributeCertificateAttribute: The [attributeCertificateAttribute] contains attribute certificates issued to a specific holder and is stored in the directory entry of that holder. But, I am surprised to hear that most applications assume only one certificate in the userCertificate attribute. In most directory entries that I see for end users, there are two certificates in the userCertificate attribute: a digital signature certificate and a key management certificate. Dave Bill Russell wrote:
----- www.x500standard.com: The central source for information on the X.500 Directory Standard. |