On Fri, Jul 10, 2009 at 11:50:33PM +0200, Akos Vandra wrote:
> > If the subject participates in a protocol in which the certificate
> > authenticates its private key, generally a unique identifier for
> > each subject is sufficient to support per-subject ACLs, ...
> >
> > If this is something akin to a signed "passport", the object in question
> > is a signed message, not a certificate.
>
> you can't really draw a clear line between "signed message" and
> "certificate", because a certificate isn't anything else but a signed
> message from the CA saying that this public key's pair belongs to that
> entity.
Well, X.509 certificates, are signed messages that bind a public key to
an "identity". Generally when one says "certificate" it is short for an
X.509 public key certificate, which is used to authenticate a subject
that can securely demonstrate possession of the corresponding private key.
> > Subject attributes are encoded in the subject DN. You can specify
> > custom OIDs, if the standard OIDs are not sufficient.
>
> Thank you, I think this is what I need. An image can be base64 encoded
> and passed as a field, but I'm not sure if there is any length limit,
> I will have to make some research on this. Thanks for the link.
Length limits are protocol dependent, you have not specified the
protocol with which your "certificates" will be used.
[ FWIW, neither my image, nor any other set of discrete attributes, are
an "identity". My identity is the totality of things that comprise me,
and an "identifier" is a reference to that identity. "Identity theft"
is a misnomer... X.509 certs bind a public key to subject identifier,
presumably one that is meaningful to the verifier. ]
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
