Erwann Abalea wrote:
Hodie III Kal. Feb. MMX, Howard Chu scripsit:
(Sorry, just had to laugh, using a ~3000 year old language in email...)
erwann.abalea@keynectis.com wrote:
Also note that, technically, LDAP is defined to conform to the 1993 edition of the X.500 specs, and X.509(1993) makes no such allowance here.
I didn't know that LDAP was designed to conform to a specific edition of the standard. Isn't that strange? After all, it should also refuse to handle X.509v2 CRLs, and X.509v3 certificates, which appear for the first time in the 1997 edition. Anyway, I hadn't thought about looking at older revisions of the X.509 standard. You're right, my 1997 edition doesn't say anything about this, and my 2000 edition (a french version) has the same text as the 2005 one.
See RFC4510, section 2. Yes, it's certainly an inconsistency in the LDAP spec, that RFC4513 requires use of subjectAltNames which clearly require X.509v3 certs but the only normative references to the necessary edition of X.509 is outside the core specification. (Looking again I see that RFC4523 references X.509(2000) so it appears that some portions of newer X.500 editions are being incorporated, piecemeal...)
Anyway, thank you again. I'll test the head version and will come back later.
BTW, what do you mean by "needs some thought" (in the ticket notes)?
I hadn't decided yet if slapd should log a warning for this or not.