"William M. Perry" wrote:
>
> "Salz, Rich" <[EMAIL PROTECTED]> writes:
>
> > >>How are you going to handle multiple OUs? In the case where a certificate
> > >>contains 4 multiple OUs but a user DN only contains one of those 4?
> >
> > Shouldn't the user DN exactly match the "subject" field from the cert?
> > If not, when and why not?
>
> It won't always be the case that your directory structure will map
> _exactly_ to your certificate heirarchy. If you are your own CA and are
> being very careful, or using a tightly integrated directory service and
> cert management server (like netscapes upcoming stuff), then it will.
>
> But if you want to use something like Verisign to get your certificates,
> their certs are pretty nasty looking and I would _not_ want my directory to
> look like that. :)
>
> > >> I search in LDAP just by e-mail, and I compare the whole certificate byte
> > >> to byte with the client one, to check if they're same cert.
> > >We need to be more flexible about this though - not everybody will be
> > >putting 'email' in their certificates, etc.
> >
Searching by e-mail doesn't mean you search certificate's e-mail, but the
attribute
email: someone@somewhere
in the LDAP directory. When found the email, than you get the user's certificates.
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
P.S.: I think e-mail is very useful either because if you want to use it in signing
you netscape will not be very happy about it (could mark messages with "Invalid
Signature")
and expecially because if someone needs to contact the certificate's user
(the CA, let's say to renew it or to get confirmation for revoking it) he needs
an email address...
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
