One of the reasons that I see that some "USERS", i.e. relying parties want that, is that it is a bit difficult to get the subject altname email in a CGI under apache, whilst the DN attribute is simply in an environment variable.
What happens when you add multiple emails, is either as subject altname or multiple occurence of the email attribute, .well, that's anoher story Michael Bell via RT wrote:
Stephen Henson via RT wrote:That isn't what RFC3280 says: Conforming implementations generating new certificates with electronic mail addresses MUST use the rfc822Name in the subject alternative name field (section 4.2.1.7) to describe such identities. This isn't a DN component at all but part of an extension. This functionality is already supported in OpenSSL.Ups, you are correct. Nevertheless get_email should also scan for normal mail and not only for emailAddress. Additionally inetOrgPerson includes rfc822Mailbox and does not use emailAddress.So more generally should mail or emailAddress be used in the subject (I know this is deprected by RFC 3280 but many users want it)?Should I modify my patch with another comment? I still think that NID_rfc822Mailbox should be searched in X509_NAME.Michael
--To verify the signature, see http://edelpki.edelweb.fr/ Cela vous permet de charger le certificat de l'autorité; die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.
smime.p7s
Description: S/MIME Cryptographic Signature
