WG co-chair hat off
On 10/11/2009, at 6:13 PM, Stephen Kent wrote:
Geoff,
Here are the details provided by David:
------------------------------
Using OpenSSL 1.0.0-beta3 15 Jul 2009:
openssl req -out sidr.req -newkey rsa:2048 -keyout sidr.key -
config ./openssl.cnf -multivalue-rdn -subj "/CN=SIDR test
+serialNumber=4"
openssl ca -in sidr.req -out sidr.pem -config openssl.cnf -preserveDN
NSS 3.12.3:
certutil -N -d temp/
certutil -R -k rsa -g 2048 -s "CN=SIDRtest, dc=example, dc=com" -d
temp/ -o ta.req
certutil -C -i ta.req -x -d temp/ -o ta.cer -m 0
certutil -A -n "SIDRTA" -t "TC,TC,TC" -d temp/ -i ta.cer
certutil -R -k rsa -g 2048 -s "serialNumber=5+CN=SIDR test" -d temp/
-o sidr.req
certutil -C -c "SIDRTA" -i sidr.req -o sidr_NSS.cer -m 8 -d temp/
----------
As for the rescerts I-D, I don't think it needs to change, because
it refers to the arch doc for subject and issuer name conventions.
However, that document is not specific about how to organize the
common name and serial number attributes when they both appear in a
Subject or Issuer name.
We have the option to move the details into the cert profile, or put
more details into the arch doc.
And the option to place these details in the resource certificate
profile document, of course.
Still speaking as an individual, and not a wg co-chair, I'm not sure
myself where would be the most obvious place to put this, where "most
obvious" is from the perspective of a future reader / implementor.
regards,
Geoff
WG co-chair hat off
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
