Hi,
during I work around the Email= problem I discovered two other problems
(if I interpret something wrong then forget it)
1. the DN does not contain the serialNumber. So this cause several other
problems
a) ca has to starts at every time with certificate 0. So old signed
certificates can not be validated and all old signed documents are a
problem.
b) one user can only have one certificate. So it is impossible to
impement non-repudation and to store old certificates (expired or
revoked) for verification of old signatures.
2. I discovered that you are using the (E)mail or the cn to check for the
existence of a DN. This is very critical due to server admins which often
write their names into the server's certificate. So the filter should be
the real proposed DN (best with included serial number ;-) ).
The second Idicovered during I wrote an addCertsLDAP function.
Regards Michael
-----------------------------------------------------------------------
Michael Bell E-Mail: [EMAIL PROTECTED]
Rechenzentrum - Datacenter Tel.: +49+(0)30-2093-2482
Humboldt-University of Berlin Fax.: +49+(0)30-2093-2959
Unter den Linden 6
10099 Berlin
Germany
--------------------------------------------------------------
Per problemi: [EMAIL PROTECTED] oppure (anche meglio)
[EMAIL PROTECTED] (messaggio con la sola parola HELP)
--------------------------------------------------------------
