[x500standard] Re: User certificates

• From: Bill Russell <brussell@xxxxxxxxxxxx>
• To: "David A. Cooper" <david.cooper@xxxxxxxx>
• Date: Tue, 24 Mar 2009 23:09:17 -0400

Hi Dave,

Thanks for the clarification on attribute certificates. In terms of which 
applications can properly handle multiple certificates in the userCertificate 
attribute, you are probably a better judge than I based on your lab exposure. 
At State, there is only one certificate in the entry, which removes any 
ambiguity. With Outlook, I thought it defaulted to the first userCertificate it 
finds, unless there is a default S/MIME certificate attribute  
(userSMimeCertificate) configured outside of the userCertificate attribute. Are 
the directory entries containing multiple certificates from shared service 
providers? Other then in our own lab set ups, I have not come across any live 
directories with digital signature certs in the directory. At State the DS cert 
is on the card but not the directory.

Take care,
Bill
________________________________
From: David A. Cooper [david.cooper@xxxxxxxx]
Sent: Tuesday, March 24, 2009 12:37 PM
To: Bill Russell
Cc: x500standard@xxxxxxxxxxxxx; PKIX
Subject: Re: [x500standard] Re: User certificates

Bill,

Here is the definition from X.509:
A user may obtain one or more public-key certificates from one or more CAs. The 
userCertificate attribute type contains the public-key certificates a user has 
obtained from one or more CAs.
So, it cannot be used to hold attribute certificates.  There is a separate set 
of attributes to hold attribute certificates.  For example, 
attributeCertificateAttribute:
The [attributeCertificateAttribute] contains attribute certificates issued to a 
specific holder and is stored in the directory entry of that holder.

But, I am surprised to hear that most applications assume only one certificate 
in the userCertificate attribute.  In most directory entries that I see for end 
users, there are two certificates in the userCertificate attribute: a digital 
signature certificate and a key management certificate.

Dave


Bill Russell wrote:
I believe the directory attribute userCertificate is a multivalue attribute. I 
see no reason why it cannot be used to store an attribute certificate. However, 
some applications may get confused. I think in practice, most apps assume only 
one certificate in the userCertificate.

The term "user" has proved ambiguous; so, I'd agree that there would be some 
value in defining it. However, I would not define it to exclude attribute 
certificates.
________________________________

• References:
  • [x500standard] User certificates
    • From: Erik Andersen
  • [x500standard] Re: User certificates
    • From: Bill Russell
  • [x500standard] Re: User certificates
    • From: David A. Cooper

Other related posts:

• » [x500standard] User certificates- Erik Andersen
• » [x500standard] Re: User certificates- Moudrick M. Dadashov
• » [x500standard] Re: User certificates- Bill Russell
• » [x500standard] Re: User certificates- David A. Cooper
• » [x500standard] Re: User certificates - Bill Russell

1. Home
2. x500standard
3. Archive
4. 03-2009

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---