Re: [ldapext] Fwd: New Version Notification for draft-stroeder-mailboxrelatedobject-06.txt

Sean Leonard <> Sun, 05 October 2014 21:53 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id 1C1791A0070 for <>; Sun, 5 Oct 2014 14:53:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.301
X-Spam-Status: No, score=-2.301 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, MIME_8BIT_HEADER=0.3, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_PASS=-0.001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id NLev_MeneyXr for <>; Sun, 5 Oct 2014 14:53:37 -0700 (PDT)
Received: from ( []) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by (Postfix) with ESMTPS id E955E1A006F for <>; Sun, 5 Oct 2014 14:53:36 -0700 (PDT)
Received: from [] (unknown []) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPSA id 9A347509B5; Sun, 5 Oct 2014 17:53:35 -0400 (EDT)
Message-ID: <>
Date: Sun, 05 Oct 2014 14:52:58 -0700
From: Sean Leonard <>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Thunderbird/31.1.2
MIME-Version: 1.0
To: =?windows-1252?Q?Michael_Str=F6der?= <>,
References: <> <> <> <> <> <> <>
In-Reply-To: <>
Content-Type: text/plain; charset=windows-1252; format=flowed
Content-Transfer-Encoding: 8bit
Subject: Re: [ldapext] Fwd: New Version Notification for draft-stroeder-mailboxrelatedobject-06.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: LDAP Extension Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 05 Oct 2014 21:53:38 -0000

On 10/5/2014 2:18 PM, Michael Ströder wrote:
> Sean Leonard wrote:
>> On 9/26/2014 9:08 AM, Michael Ströder wrote:
>>> Michael Ströder wrote:
>>>> Personally I consider PKCS#9 to be seriously flawed. E.g. defining as
>>>> GeneralizedTime is bad design. Yuck!
>>> Should have been: "defining dateOfBirth as GeneralizedTime"
>>>                           ^^^^^^^^^^^
>> Hi Michael, I just wanted to follow up on this. What exactly is the problem
>> with GeneralizedTime?
> There's no real semantics using a time part for dateOfBirth and matching will
> be incorrect.
> Furthermore I'm strongly against arbitrarily using zeroed time in case of
> unknown birth time.

Well what can I say. I'm not going to defend it. I wasn't involved in 
the 80s when GeneralizedTime was created, nor was I involved in the 90s 
when PKCS #9 came out. Suffice to say, the protocol designers had those 
tools available to them at the time, and they ran with it. The ASN.1 
TIME type was not invented until 2004. Too late now.

RFC 3739 says:

       The dateOfBirth attribute SHALL, when present, contain the value
       of the date of birth of the subject.  The manner in which the date
       of birth is associated with the subject is outside the scope of
       this document.  The date of birth is defined in the
       GeneralizedTime format and SHOULD specify GMT 12.00.00 (noon) down
       to the granularity of seconds, in order to prevent accidental
       change of date due to time zone adjustments.  For example, a birth
       date of September 27, 1959 is encoded as "19590927120000Z".
       Compliant certificate parsing applications SHOULD ignore any time
       data and just present the contained date without any time zone

This seems like a reasonable compromise under the circumstances and is 
not "arbitrary" since regardless of the time zone of the receiver, it 
would be interpreted as the same date anyway.