Hi!
A group overhere is designing a new X509_LOOKUP method for getting
certificates out of DNS, as a part of a bigger project which wants to
encourage deployment of DNSSEC.
All is well, we have working code already, if only the subject name by
which we lookup are built up according to RFC2247. However, as can be
read in RFC2538, there are other preferred ways of looking
certificates up, all looking at X509v3's subject alternative name
extensions instead. The current OpenSSL API does not support lookup
up by the subjectAltName, so I would like to implement that. I can
see two ways:
* Just change the specification of X509_LOOKUP_by_subject to mean
lookup by the subject name *or by a subject alternative name. Which
ones, and in which order to be tried, is chosen at the
X509_LOOKUP_METHOD's discretion.
* Provide a new function member in the X509_LOOKUP_METHOD that is
named get_by_subjectAltName, or similar.
What do you guys recommend? The former is the easiest one, as from
what I can see, there is no official documentation or specification of
this part of the API :-) I would rather go that way.
Please include my and the CC:d email-addresses in your reply since we
are not subscribed to the list.
Niklas
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
