Re: [Openca-Users] How do i get emailAddress in DN?

Tue, 03 Dec 2002 03:34:53 -0800 


Alex Tang escribi�:
Hi folks.

I've been looking for information on the list archives about how to get
the emailAddress into the DN of a user's certificate.
I have a couple of questions:

* I read a message that said that putting email address in the cert is
deprecated according to the RFCs. Can someone tell me why? 
A number of problems, none of them fatal, but that together make the
thing undesirable.  I can think of the following:

   - DNs denote entries in the directory that becomes a naming space,
     while email addresses are a completely different naming space
     with its own delegation rules. Putting email there mixes things
     that are different in nature.
   - You would not be able to have a certificate issued to *two*
     or more email addresses.
   - There is (was?) no standard X.500 attribute type adequate to
     hold an RFC822 address (and no, 0.9.2342.19200300.100.1.3, aka
     'mail', aka 'rfc822mailAddress is not X.500 standard, it was
     defined in the COSINE directory pilot project). That email thing
     in DN's was introduced as attribute type 1.2.840.113549.1.9.1 by
     RSA in PKCS#9.

For more information, you should ask people who know more about this.
The PKIX people, for instance.  Probably the ietf-pkix archives have
info on this and a Google search will probably provide more complete
answers.


 * Even though this is deprecated, if i need to put the Email addr in the
   DN, Can someone tell me the steps i would need to take?


Check ca.conf and make sure you have:

DN_WITHOUT_EMAIL "N"


 * Is it possible to have the Email address attribute be "E" instead of
   "EMAILADDRESS"?  If so, how would I do this?


Attribute types in X.509 certificates are represented as object
identifiers, i.e. an arbitrarily long ASN.1 sequence of integers.
Strings such as 'CN', 'OU', 'C' and 'E' are external representation
forms and, in general, are chosen by the specific program that
decodes the names to present them to the human user.  Those strings
are not present in the certificate itself.  If the object identifiers
are correct for your application, then everything is alright.  If not,
then you have a problem of some other nature.

Julio




-------------------------------------------------------
This SF.net email is sponsored by: Get the new Palm Tungsten T
handheld. Power & Color in a compact size!
http://ads.sourceforge.net/cgi-bin/redirect.pl?palm0002en
_______________________________________________
Openca-Users mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/openca-users

Reply via email to