From: Michael **UNKNOWN CHARSET** <[EMAIL PROTECTED]>
michael> Richard Levitte - VMS Whacker wrote:
michael> >
michael> > But for example, the
michael> > "legal" shortnames for the DN attributes should be available
michael> > somewhere.
michael>
michael> Can you list a limited set of attribute types for certificate
michael> DNs? I can't.
That's not what I'm asking for. Anything "legal" is, in my book,
something defined in an RFC or X.nnn or something like that. I have
not said that it has to cover all attributes that exist or may exist,
I just want a list of those that have been defined as said in the
previous senteence. Please don't make this harder than it has to be.
michael> I do not have access to the X.500 documents. But RFC2256 is a
michael> good start for getting an idea of the X.500 schema. BTW: You
michael> won't find anything there related to e-mail addresses.
Thank you, that one, together with 2253, are a great start.
michael> Again: The only reference to an attribute type is the OID!
I know that. Unfortunately, there are applications out there that
attempt to use the textual representation of a DN. One perfect
example is LDAP anytime you search for anything (at least, I'm told
there are implementations that do not know how to handle DNs with OIDs
for names).
michael> > But I guess that the right way would be to make it less humanly
michael> > readable and use the hash of the issuer DN,
michael>
michael> NO! A hash is a significant information loss... ;-)
I don't meant to replace any DN with a hash, just add a hash in the
catalogue entry for index and easy retrieval. The real DN of a
certificate would still be part of the certificate itself.
michael> > the same way it should be done according to RFC2560...
michael>
michael> OCSP does almost nothing with the issuerName.
Have you read RFC2560 properly? You can have responders that answer
for other CA's. Multiple CA's even. Considering that, you do need an
issuer index as well as the serial number of the cert to validate.
michael> The OCSP server of a CA can reference a cert by serialNumber
michael> anyway.
But that's limiting one responder for each CA. IIRC, Valicert wants
to set up a global responder that can handle requests for other CA's
as well as their own...
--
Richard Levitte \ Spannv�gen 38, II \ [EMAIL PROTECTED]
Chairman@Stacken \ S-168 35 BROMMA \ T: +46-8-26 52 47
Redakteur@Stacken \ SWEDEN \ or +46-709-50 36 10
Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED]
Member of the OpenSSL development team: http://www.openssl.org/
Software Engineer, Celo Communications: http://www.celocom.com/
Unsolicited commercial email is subject to an archival fee of $400.
See <http://www.stacken.kth.se/~levitte/mail/> for more info.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
