RE: Certificate with custom fields
A possible solution might be to get a private enterprise number from the http://www.iana.org/assignments/enterprise-numbers IANA [http://www.iana.org/assignments/enterprise-numbers]. With this you can build up your own object identifier definitions (starting with 1.3.6.1.4.1..) and build up a group of certificate extensions. The general disadvantage of such a solution is, that these extensions need to be signed by the CA. So, the CA is responsible for the validity of your extension's content during the validity of the certificate. Remember that no other application will use the certificate unless you mark your extension as non critical. _ From: owner-openssl-us...@openssl.org [mailto:owner-openssl-us...@openssl.org] On Behalf Of Akos Vandra Sent: Friday, July 10, 2009 10:05 PM To: openssl-users@openssl.org Subject: Certificate with custom fields Hello! I need to issue a few certificates with custom fields, with the customers more thoroughly identified, including Full name, Address, Telephone number, blablabla, and even a picture of the poor guy. Can this be done with one of the standards which uses openssl, or would I have to make one of my own? For example, why don't any XML.-like certificates exist? Regards, Vandra Ákos
RE: Certificate with custom fields
Akos Vandra wrote: The parties involved here are not connected to the internet, and thus don't have any access to a (this is an embedded project), and they must confirm eachother's identity based on the CA-signed certificates. If they can get each other's certificates, they can get any information from each other, right? If anyone has any idea how to include this information in a certificate, please tell me how this can be done. Create a custom extension holding a hash of the data and exchange the data separately. It makes no sense to put this information in the certificate. However, you left out all the information needed to give you actually useful advice. For example, do these provide *additional* information? Or *mandatory* information? If you can't verify the picture matches the person using the certificate, for example, should you accept the certificate as binding the private key to the common name? Or not? The correct solution depends on the problem, and all you've told us is your proposed (and likely flawed) solution. I'm not flaming. I'm honestly trying to point out why we can't help you. DS __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Certificate with custom fields
Hello! I need to issue a few certificates with custom fields, with the customers more thoroughly identified, including Full name, Address, Telephone number, blablabla, and even a picture of the poor guy. Can this be done with one of the standards which uses openssl, or would I have to make one of my own? For example, why don't any XML.-like certificates exist? Regards, Vandra Ákos __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate with custom fields
On Fri, Jul 10, 2009 at 10:04:45PM +0200, Akos Vandra wrote: Hello! I need to issue a few certificates with custom fields, with the customers more thoroughly identified, including Full name, Address, Telephone number, blablabla, and even a picture of the poor guy. A certificate is not a database. Put a unique id in the certificate, and use a real database to retrieve the related data. Can this be done with one of the standards which uses openssl, or would I have to make one of my own? For example, why don't any XML.-like certificates exist? Your design is flawed. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate with custom fields
Before just criticizing anything without any arguments whatsoever, just stating that something is wrong, please think for a while. Critiques are very important too, but if you do decide to criticize something, make it useful. The parties involved here are not connected to the internet, and thus don't have any access to a (this is an embedded project), and they must confirm eachother's identity based on the CA-signed certificates. If anyone has any idea how to include this information in a certificate, please tell me how this can be done. And please don't make this thread a flame. Best regards, Vandra Ákos 2009/7/10 Victor Duchovni victor.ducho...@morganstanley.com: On Fri, Jul 10, 2009 at 10:04:45PM +0200, Akos Vandra wrote: Hello! I need to issue a few certificates with custom fields, with the customers more thoroughly identified, including Full name, Address, Telephone number, blablabla, and even a picture of the poor guy. A certificate is not a database. Put a unique id in the certificate, and use a real database to retrieve the related data. Can this be done with one of the standards which uses openssl, or would I have to make one of my own? For example, why don't any XML.-like certificates exist? Your design is flawed. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate with custom fields
to a central database, that is 2009/7/10 Akos Vandra axo...@gmail.com: Before just criticizing anything without any arguments whatsoever, just stating that something is wrong, please think for a while. Critiques are very important too, but if you do decide to criticize something, make it useful. The parties involved here are not connected to the internet, and thus don't have any access to a (this is an embedded project), and they must confirm eachother's identity based on the CA-signed certificates. If anyone has any idea how to include this information in a certificate, please tell me how this can be done. And please don't make this thread a flame. Best regards, Vandra Ákos 2009/7/10 Victor Duchovni victor.ducho...@morganstanley.com: On Fri, Jul 10, 2009 at 10:04:45PM +0200, Akos Vandra wrote: Hello! I need to issue a few certificates with custom fields, with the customers more thoroughly identified, including Full name, Address, Telephone number, blablabla, and even a picture of the poor guy. A certificate is not a database. Put a unique id in the certificate, and use a real database to retrieve the related data. Can this be done with one of the standards which uses openssl, or would I have to make one of my own? For example, why don't any XML.-like certificates exist? Your design is flawed. -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate with custom fields
Victor Duchovni wrote: On Fri, Jul 10, 2009 at 10:04:45PM +0200, Akos Vandra wrote: Hello! I need to issue a few certificates with custom fields, with the customers more thoroughly identified, including Full name, Address, Telephone number, blablabla, and even a picture of the poor guy. A certificate is not a database. Put a unique id in the certificate, and use a real database to retrieve the related data. X.509 allows to have all such identity attributes in the subject DN. (except a picture as far as I know). Can this be done with one of the standards which uses openssl, or would I have to make one of my own? For example, why don't any XML.-like certificates exist? Your design is flawed. I am not sure about that. xml certs exist somehow: just reencode with XER encoding rules __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate with custom fields
On Fri, Jul 10, 2009 at 11:11:48PM +0200, Akos Vandra wrote: The parties involved here are not connected to the internet, and thus don't have any access to a (this is an embedded project), and they must confirm eachother's identity based on the CA-signed certificates. Well, my address is not my identity. Identities are just primary keys. It seems that you don't want identity certificates, but for some reason need attribute certificates with lots of attributes. Is the subject the holder of a corresponding private key in this context, or this just a signed message binding the subject to a set of attributes? If the subject participates in a protocol in which the certificate authenticates its private key, generally a unique identifier for each subject is sufficient to support per-subject ACLs, ... If this is something akin to a signed passport, the object in question is a signed message, not a certificate. Subject attributes are encoded in the subject DN. You can specify custom OIDs, if the standard OIDs are not sufficient. http://openssl.org/docs/apps/req.html#DISTINGUISHED_NAME_AND_ATTRIBUTE -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate with custom fields
Thank you, this was much more helpful. 2009/7/10 Victor Duchovni victor.ducho...@morganstanley.com: On Fri, Jul 10, 2009 at 11:11:48PM +0200, Akos Vandra wrote: The parties involved here are not connected to the internet, and thus don't have any access to a (this is an embedded project), and they must confirm eachother's identity based on the CA-signed certificates. Well, my address is not my identity. Surely not. But your picture, name, and other infos define who you are. Identities are just primary keys. It seems that you don't want identity certificates, but for some reason need attribute certificates with lots of attributes. Is the subject the holder of a corresponding private key in this context, yes or this just a signed message binding the subject to a set of attributes? exactly, these are not exclusive. If the subject participates in a protocol in which the certificate authenticates its private key, generally a unique identifier for each subject is sufficient to support per-subject ACLs, ... If this is something akin to a signed passport, the object in question is a signed message, not a certificate. you can't really draw a clear line between signed message and certificate, because a certificate isn't anything else but a signed message from the CA saying that this public key's pair belongs to that entity. Subject attributes are encoded in the subject DN. You can specify custom OIDs, if the standard OIDs are not sufficient. Thank you, I think this is what I need. An image can be base64 encoded and passed as a field, but I'm not sure if there is any length limit, I will have to make some research on this. Thanks for the link. http://openssl.org/docs/apps/req.html#DISTINGUISHED_NAME_AND_ATTRIBUTE -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-us...@openssl.org Automated List Manager majord...@openssl.org __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate with custom fields
On Fri, Jul 10, 2009 at 11:50:33PM +0200, Akos Vandra wrote: If the subject participates in a protocol in which the certificate authenticates its private key, generally a unique identifier for each subject is sufficient to support per-subject ACLs, ... If this is something akin to a signed passport, the object in question is a signed message, not a certificate. you can't really draw a clear line between signed message and certificate, because a certificate isn't anything else but a signed message from the CA saying that this public key's pair belongs to that entity. Well, X.509 certificates, are signed messages that bind a public key to an identity. Generally when one says certificate it is short for an X.509 public key certificate, which is used to authenticate a subject that can securely demonstrate possession of the corresponding private key. Subject attributes are encoded in the subject DN. You can specify custom OIDs, if the standard OIDs are not sufficient. Thank you, I think this is what I need. An image can be base64 encoded and passed as a field, but I'm not sure if there is any length limit, I will have to make some research on this. Thanks for the link. Length limits are protocol dependent, you have not specified the protocol with which your certificates will be used. [ FWIW, neither my image, nor any other set of discrete attributes, are an identity. My identity is the totality of things that comprise me, and an identifier is a reference to that identity. Identity theft is a misnomer... X.509 certs bind a public key to subject identifier, presumably one that is meaningful to the verifier. ] -- Viktor. __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
Re: Certificate with custom fields
Akos Vandra wrote: Thank you, this was much more helpful. 2009/7/10 Victor Duchovni victor.ducho...@morganstanley.com: On Fri, Jul 10, 2009 at 11:11:48PM +0200, Akos Vandra wrote: The parties involved here are not connected to the internet, and thus don't have any access to a (this is an embedded project), and they must confirm eachother's identity based on the CA-signed certificates. Well, my address is not my identity. Surely not. But your picture, name, and other infos define who you are. Actually, those are just attributes - I am me, but the fact that I am white, of Scottish descent, and 6'1 are simply attributes. As is the fact that I work for Carillon Information Security - these are not my Identity, these are attributes tied to my identity - I suggest you read Kim Cameron's Laws of Identity to help you get a better grasp of the differences between the two. Identities are just primary keys. It seems that you don't want identity certificates, but for some reason need attribute certificates with lots of attributes. Is the subject the holder of a corresponding private key in this context, yes or this just a signed message binding the subject to a set of attributes? exactly, these are not exclusive. They are exclusive - your identity ties you to one or more sets of attributes, which are completely different dependent on the context. I can have a much different set of attributes if I am identifying myself to my company, or to a partner company, to my local curling club, or to my bank. Again, see the laws of Identity referenced above. If the subject participates in a protocol in which the certificate authenticates its private key, generally a unique identifier for each subject is sufficient to support per-subject ACLs, ... If this is something akin to a signed passport, the object in question is a signed message, not a certificate. you can't really draw a clear line between signed message and certificate, because a certificate isn't anything else but a signed message from the CA saying that this public key's pair belongs to that entity. Subject attributes are encoded in the subject DN. You can specify custom OIDs, if the standard OIDs are not sufficient. Thank you, I think this is what I need. An image can be base64 encoded and passed as a field, but I'm not sure if there is any length limit, I will have to make some research on this. Thanks for the link. I would encourage you to re-think your design if you are going to put all of those attributes into a certificate It appears that what you REALLY want is some form of Identity Federation... and not simply PKI. At the very least, you might want to consider X.509 Identity Certificates as well as Attribute Certificates... Have fun. Patrick __ OpenSSL Project http://www.openssl.org User Support Mailing Listopenssl-users@openssl.org Automated List Manager majord...@openssl.org
