> On 2 Jul 2020, at 19:29, Michael Richardson <[email protected]> wrote: > > Signed PGP part > > Eliot Lear <[email protected]> wrote: >> I have no objection. My only caution is that otherName is poorly >> supported in the open source tool sets, but that is something we could >> conceivably work on. > > I disagree! > otherName is adequately supported (if poorly documented) in openssl.cnf for > our purposes. > Creating otherName SAN extensions from library interface is fully supported. > > The openssl x509 -text output program does not know how to format arbitrary > otherName text, so it just says <unsupported>.
Whereas for a URI it will actually provide you the URI. Also, if the otherName
is at all complex, the openssl.cnf file is entirely counter-intuitive. This
having been said, one needn’t write to OpenSSL’s limitations.
Eliot
>
> Here is an proprietary otherName that I created awhile ago, implemented in
> ruby:
>
> # the OID: 1.3.6.1.4.1.46930.1 is a Private Enterprise Number OID:
> # iso.org.dod.internet.private.enterprise . SANDELMAN=46930 .. 1
> @idevid.add_extension(extension_factory.create_extension(
> "subjectAltName",
> sprintf("otherName:1.3.6.1.4.1.46930.1;UTF8:%s",
> self.sanitized_eui64),
> false))
>
> The hardest part was figuring out the ";UTF8:" part, as I had to read the C
> code underneath to learn how that worked.
> (false, is I think, whether it is critical)
>
> --
> Michael Richardson <[email protected]>, Sandelman Software Works
> -= IPv6 IoT consulting =-
>
>
>
>
>
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
