A quick (and probably dumb) question - a lot of sites are using
DNS-style distinguished names for their LDAP and PKI intrastructure
now. Any reason why it's not in OpenSSL 9.6/CURRENT?
A DNS-style DN is
/CN=Bob Smith/DC=example/DC=com
("Bob Smith" at example.com, using LDAP order) instead of
/O=Acme/CN=Bob Smith
("Bob Smith" at Acme) or
/C=US/ST=California/CN=Bob Smith
("Bob Smith" in California, US)
The DNS-style seems to be prefered by organizations for internal
use in their directory services (e.g., LDAP), and there are obvious
benefits in having your LDAP and X.509 DNs look the same (modulo
reversing the order of the entries.) E.g., clients can share a
common authentication library that
- requests client cert
- verify it against internal CA certs
- extract DN
- pull client's LDAP entry
- check for permissions in entry
I've checked RFC2459, which is dense enough that I can't figure
out the right codes without a lot of work. I'm not even sure
if a DC= is an "administration-domain-name" or "private-domain-name".
But for both
ub-domain-defined-attributes INTEGER ::= 4
ub-domain-defined-attributes-type-length INTEGER ::= 8
ub-domain-defined-attributes-value-length INTEGER ::= 128
ub-domain-defined-name-length INTEGER ::= 16
(I think the DNS spec allows names up to 64 octets in each component,
although registrars have historically tended to limit it.)
More generally, shouldn't crypto/asn1/a_strnid.c include entries
for everything in the RFC? E.g., "title", and "postal code" are
also missing.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
