Re: crlDistributionsPoints format

Mon, 10 Jul 2000 16:55:10 -0700 

Oliver King wrote:
> 
> Hi guys,
> 
> I see that I can configure a crlDistributionPoints value in openssl.cnf that
> will be added to new certificates created by the CA utility. However, I'd
> like the fullName field to be of type directoryName and I see from looking
> at v2i_GENERAL_NAME that this isn't a currently supported option; is there
> any plan to expand v2i_GENERAL_NAME to handle this?
> 

This is actually not too difficult from an extension or ASN1 point of
view. What is nasty is getting the config file stuff to handle this
properly. For example you might want this represented as: 

directoryName:C=XX,CN=My Common Name,O=my org

The commas present an immediate problem because this normally is used to
separate options in the extension field. You could however get round
that using the long form @section. Then there's the question of how to
include commas in fields. One way is to something like this:

directoryName:C=XX,CN=My Common Name,O="my org, here"

unfortunately the config file library will swallow the quotes. Similar
things happen with single quotes and \ escaping.

Fixing this then involves AFAICS one of several things, either fixing
the config library so you can get at the 'raw line', using an
alternative form of escaping (e.g. URL escaping) or rewriting the
GENERAL_NAME handling so it is a raw extension and could (for example)
have the directoryName option in its own section. A final alternative
would be to have something like directoryName:file.pem and it would then
take the subject or issuer name from a certificate in that file.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to