Nelson Bolyard wrote:
Yes, however, the RFCs are your friends.
The beautiful thing about standards, is that there are so many to choose from!
OpenSSL uses DNS:hostname the RFC states dNSName:hostname...
OpenSSL and RFC 3280 are not peers, they are not both alternative standards.
RFC3280 is the standard.
OpenSSL and NSS are implementations that claim to be able to construct and use certs that conform to the RFC 3280 standard.
Each implementation must be used correctly. It may be possible to use one or both implementations in a way that causes it to produce certs that do NOT conform to the standard.
The users' challenge is to find the right commands, command options, and
(for OpenSSL) the right configuration syntax that causes the implementation's tools to produce standards-compliant certs.
IMO, the right way to know if you are producing standards-complaint certs with those tools is to know what the standard says, and then check the results one gets from the tools to see if the conform to the standard.
The alternative is to try many things and get many other people to examine the results and report which results are standards-compliant and which ones are not. This approach is not one I would expect from a certificate AUTHORITY who wants to be listed among the trusted certificate AUTHORITIES.
-- Nelson B _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
