> From: [EMAIL PROTECTED] (Peter Gutmann)
>
> Noone seems to know how to encode X.509v3 extensions as attributes,
> the three approaches I can think of are:
>
> 1. Treat the extension as if it were an attribute:
>
> 2. Create an OID specifying that the atrribute is a collection of cert
> extensions:
>
> 3. As 2, but ...
>
> Is anyone using X.509 extensions with PKCS #10 requests?
This seems to be the wrong question. Given that there are no solutions
supported by CAs today, and the three alternatives you list each have
advantages and drawbacks, it seems that the question should be
"What is the preferred method of requesting a certificate containing
X.509 extensions?"
Recognition of the fact that PKCS #10 does not support X.509 v3 is what
drove PKIX to develop the Certificate Request Message Format (CRMF), which
includes every X.509 v3 certificate field. As VeriSign and Entrust were
co-authors of the CRMF specification, one might expect it to become
widely supported. Can the same be said for agreement on a specific
ad-hoc method of stretching PKCS#10?
+-------------------------------------------------------------------------+
| Administrative requests should be sent to [EMAIL PROTECTED] |
| List service provided by Open Software Associates, http://www.osa.com/ |
+-------------------------------------------------------------------------+
