https://bugs.openldap.org/show_bug.cgi?id=9540
--- Comment #6 from Michael Ströder michael@stroeder.com ---
(In reply to Michael Ströder from comment #4)
And are you and the developers of this LDAP client aware that originally this attribute was meant to carry a signed S/MIME message with empty body to also carry the S/MIME capabilities of a client?
Yes, we are aware of that, and that's how we've implemented our software.
So you're signing with the user's private key? How? Do you have key escrow?
But I wasn't aware of this:
[...] After that I never saw a client making correct use of this attribute.
I was speaking of MS Outlook, but now I've performed a few more tests with Thunderbird and Apple Mail, and neither of them did accept the format. Not sure if they did not accept the LDAP attribute or didn't know how to make use of it, but I admit I'm baffled.
The Mozilla folks hunked out almost all LDAP features from the ancient Mozilla suite many moons ago, mostly the ones regarding S/MIME certs. These features never came back.
Nowadays it's even harder to enroll for S/MIME certs without manual PKCS#12 import.
Can it be true that this attribute was never ever implemented properly in any of the (widely used) email clients?
Yes, exactly. And that's why this ticket is a bit about trying to ride a dead horse. Sorry.
Ciao, Michael.