Dr Stephen Henson wrote:
>
> Oliver King wrote:
> >
> > Hi guys,
> >
> > I see that I can configure a crlDistributionPoints value in openssl.cnf
> > that will be added to new certificates created by the CA utility.
> > However, I'd like the fullName field to be of type directoryName
>
> This is actually not too difficult from an extension or ASN1 point of
> view.
> [..]
> directoryName:C=XX,CN=My Common Name,O=my org
>From application/user point of view it does not make sense to poison
your crlDistributionPoint attribute with a value which is likely not
understood by most client software. Or the other way round: Who
knows common software which understands
crlDistributionPoint=directoryName: ?
If you want to store your CRLs in LDAP you might want to set a
crlDistributionPoint=URI:http://.. here which points to a web
application which reads the CRL from LDAP and sends it via HTTP to
the client (very easy to write).
Or some software might understand:
crlDistributionPoint=URI:ldap:[completely quoted LDAP-URL]
A LDAP-URL is IMHO far the better way to point to a LDAP
entry/attribute anyway. And if using quoted LDAP-URLs (see RFC2255)
you can get rid of ,\+ etc. escaping... (BTW: According to OpenLDAP
developers ,+\ quotings in LDAP-DNs produce a lot of hassle anyway.)
> A final alternative
> would be to have something like directoryName:file.pem and it would then
> take the subject or issuer name from a certificate in that file.
Can you explain this?
IMHO it is not possible in the real world to map certificate DNs and
LDAP-DNs in a meaningful way without doing expensive LDAP searches
or establishing a specific LDAP tree incompatible to most existing
setups. The old X.500 days are over in the LDAP world...
Ciao, Michael.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
