Hi Dave, Thanks for the clarification on attribute certificates. In terms of which applications can properly handle multiple certificates in the userCertificate attribute, you are probably a better judge than I based on your lab exposure. At State, there is only one certificate in the entry, which removes any ambiguity. With Outlook, I thought it defaulted to the first userCertificate it finds, unless there is a default S/MIME certificate attribute (userSMimeCertificate) configured outside of the userCertificate attribute. Are the directory entries containing multiple certificates from shared service providers? Other then in our own lab set ups, I have not come across any live directories with digital signature certs in the directory. At State the DS cert is on the card but not the directory. Take care, Bill ________________________________ From: David A. Cooper [david.cooper@xxxxxxxx] Sent: Tuesday, March 24, 2009 12:37 PM To: Bill Russell Cc: x500standard@xxxxxxxxxxxxx; PKIX Subject: Re: [x500standard] Re: User certificates Bill, Here is the definition from X.509: A user may obtain one or more public-key certificates from one or more CAs. The userCertificate attribute type contains the public-key certificates a user has obtained from one or more CAs. So, it cannot be used to hold attribute certificates. There is a separate set of attributes to hold attribute certificates. For example, attributeCertificateAttribute: The [attributeCertificateAttribute] contains attribute certificates issued to a specific holder and is stored in the directory entry of that holder. But, I am surprised to hear that most applications assume only one certificate in the userCertificate attribute. In most directory entries that I see for end users, there are two certificates in the userCertificate attribute: a digital signature certificate and a key management certificate. Dave Bill Russell wrote: I believe the directory attribute userCertificate is a multivalue attribute. I see no reason why it cannot be used to store an attribute certificate. However, some applications may get confused. I think in practice, most apps assume only one certificate in the userCertificate. The term "user" has proved ambiguous; so, I'd agree that there would be some value in defining it. However, I would not define it to exclude attribute certificates. ________________________________