Peter Gutmann said.. > For the little other use that certs get, the government body that's > behind their use (or, occasionally, a corporate) decides what goes > in each of the DN components. They define the use, and typically > issue the certs, so they can specify whatever they want for the DN. > > It's been like this for 20-odd years now, I don't see any great need > to change it. Sure, X.500 doesn't work, but people are pretty adaptable.
I come to bury X.500, not to praise it, but I thought this thread was talking about certificates which chain to roots in Mozilla's trust store, in which case the purpose of the DN components aren't redefined by the applicant or the issuer and the contents are verified according to CA policies in accordance with Mozilla's CA Certificate Policy so that while the applicant has a choice about what he requests to go into a subject DN only certain values will be validated and make it through to an issued certificate. Regards Robin _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
