On Fri, Jul 10, 2009 at 11:11:48PM +0200, Akos Vandra wrote: > > The parties involved here are not connected to the internet, and thus > > don't have any access to a (this is an embedded project), and they > > must confirm eachother's identity based on the CA-signed certificates.
Well, my address is not my identity. "Identities" are just primary keys. It seems that you don't want identity certificates, but for some reason need attribute certificates with lots of attributes. Is the subject the holder of a corresponding private key in this context, or this just a signed message binding the subject to a set of attributes? If the subject participates in a protocol in which the certificate authenticates its private key, generally a unique identifier for each subject is sufficient to support per-subject ACLs, ... If this is something akin to a signed "passport", the object in question is a signed message, not a certificate. Subject attributes are encoded in the subject DN. You can specify custom OIDs, if the standard OIDs are not sufficient. http://openssl.org/docs/apps/req.html#DISTINGUISHED_NAME_AND_ATTRIBUTE -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
