Alicia,
A DN normally refers to an entry in a directory so it would usually be
inappropriate to append/prepend extra fields. An extension is
preferable, however using the DN to access a directory service should
also be considered since it is more scalable.
You mentioned decentralised databases, that is one of the features
provided by X.500 directories. The X.509 standard is one part of the
X.500 series for electronic directories. The DN in the certificate can
be used to obtain other details (such as telephone number) from a
distributed directory service using LDAP/DAP.
Perhaps you should consider the following:
* the telephone number (or some other field) may change. Should this
require a new certificate to be issued ?
* while we are defining extension attributes, what information would
another application/server also want to have ?
* tommorow a new application/server appears and needs another piece
of information.
Do you need to regenerate and re-issue certificates to also
have this additional piece of information ?
OR
Do you have a certificate for each and every type of
server/application ?
* Does a bank require your credit cards to be re-issued if your
telephone number changes ?
There are many things to consider, perhaps others may have
suggestions...
Regards...Andrew Hacking.
> -----Original Message-----
> From: Alicia da Conceicao [SMTP:[EMAIL PROTECTED]]
> Sent: Tuesday, 23 March 1999 9:35
> To: [EMAIL PROTECTED]; [EMAIL PROTECTED];
> [EMAIL PROTECTED]
> Subject: Additional custom fields in DN in X509 certificate?
>
> Greetings:
>
> Is it possible to add additional customized fields to the DN
> (Distinguished
> Name) of a standard X509 certificate. Since the DN appears as text,
> with
> fields delimited by the forward slash character '/', in the subject of
> the
> X509 certificate, it should be easy enough to adds these extra fields.
>
> For example, the DN in my personal certificate is:
>
> /C=CA/ST=Ontario/L=Toronto/O=CyberStation Inc./OU=
> /CN=Alicia da [EMAIL PROTECTED]
>
> And if we add a new field for my telephone number "/T=416-860-9378" to
> my
> DN:
> /C=CA/ST=Ontario/L=Toronto/O=CyberStation
> Inc./OU=/T=416-860-9378
> /CN=Alicia da [EMAIL PROTECTED]
>
> or if we add it to the end of the DN:
>
> /C=CA/ST=Ontario/L=Toronto/O=CyberStation Inc./OU=
> /CN=Alicia da
> [EMAIL PROTECTED]/T=416-860-9378
>
> Are any of the above "extended" DN's valid? Would the X509
> certificates
> that contain these DN's still be valid certs? Instead of adding
> fields
> to the DN's, would it be better to add extra fields within an
> extention
> to the X509 certificate (like the extra netscape fields like
> "nsCertType")?
>
> Thank you in advance. Sincerely, Alicia.
>
> PS. If it possible to safely add extra fields to a client certificate,
> then
> is it also possible with SSL3 or TLS to only allow those client
> certificates to be submitted in an encrypted manner, to a SSL
> server, after the client application first validates the server
> certificate? That way, the client's certificate can contain
> private
> data in its fields that only trusted servers are allowed to see.
> (This is method would be very useful for decentralized
> databasing.) << File: Card for Alicia da Conceicao >>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
