[openssl.org #1181] [PATCH] adds RFC 3280 compatible mail attribute

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

[openssl.org #1181] [PATCH] adds RFC 3280 compatible mail attribute

Rich Salz via RT

That isn't what RFC3280 says:

   Conforming implementations generating new certificates with
   electronic mail addresses MUST use the rfc822Name in the subject
   alternative name field (section 4.2.1.7) to describe such identities.

This isn't a DN component at all but part of an extension. This
functionality is already supported in OpenSSL.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #1181] [PATCH] adds RFC 3280 compatible mail attribute

Rich Salz via RT

Stephen Henson via RT wrote:
> That isn't what RFC3280 says:
>
>    Conforming implementations generating new certificates with
>    electronic mail addresses MUST use the rfc822Name in the subject
>    alternative name field (section 4.2.1.7) to describe such identities.
>
> This isn't a DN component at all but part of an extension. This
> functionality is already supported in OpenSSL.

Ups, you are correct. Nevertheless get_email should also scan for normal
mail and not only for emailAddress. Additionally inetOrgPerson includes
rfc822Mailbox and does not use emailAddress.

So more generally should mail or emailAddress be used in the subject (I
know this is deprected by RFC 3280 but many users want it)?

Should I modify my patch with another comment? I still think that
NID_rfc822Mailbox should be searched in X509_NAME.

Michael
--
_______________________________________________________________

Michael Bell                    Humboldt-Universitaet zu Berlin

Tel.: +49 (0)30-2093 2482       ZE Computer- und Medienservice
Fax:  +49 (0)30-2093 2704       Unter den Linden 6
[hidden email]   D-10099 Berlin
_______________________________________________________________
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
Development Mailing List                       [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #1181] [PATCH] adds RFC 3280 compatible mail attribute

Peter Sylvester-3
One of the reasons that I see that some "USERS", i.e. relying parties
want that, is that it is a bit difficult to get the subject altname
email in a CGI under apache, whilst the DN attribute is simply
in an environment variable.

What happens when you add multiple emails, is
 either as subject altname or multiple occurence of
 the email attribute, .well, that's anoher story

Michael Bell via RT wrote:

>Stephen Henson via RT wrote:
>  
>
>>That isn't what RFC3280 says:
>>
>>   Conforming implementations generating new certificates with
>>   electronic mail addresses MUST use the rfc822Name in the subject
>>   alternative name field (section 4.2.1.7) to describe such identities.
>>
>>This isn't a DN component at all but part of an extension. This
>>functionality is already supported in OpenSSL.
>>    
>>
>
>Ups, you are correct. Nevertheless get_email should also scan for normal
>mail and not only for emailAddress. Additionally inetOrgPerson includes
>rfc822Mailbox and does not use emailAddress.
>
>So more generally should mail or emailAddress be used in the subject (I
>know this is deprected by RFC 3280 but many users want it)?
>
>Should I modify my patch with another comment? I still think that
>NID_rfc822Mailbox should be searched in X509_NAME.
>
>Michael
>  
>

--
To verify the signature, see http://edelpki.edelweb.fr/ 
Cela vous permet de charger le certificat de l'autorité;
die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.


smime.p7s (6K) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: [openssl.org #1181] [PATCH] adds RFC 3280 compatible mail attribute

Michael Bell
Peter Sylvester wrote:
> One of the reasons that I see that some "USERS", i.e. relying parties
> want that, is that it is a bit difficult to get the subject altname
> email in a CGI under apache, whilst the DN attribute is simply
> in an environment variable.
>
> What happens when you add multiple emails, is
> either as subject altname or multiple occurence of
> the email attribute, .well, that's anoher story

This is the real problem. We have users which use this functionality to
get all email addresses from a certificate and yes some are in the
subject and some are in the subject alt name. Until now nobody tried to
use mail instead of emailAddress but it is possible and the most
directories implemented mail because it is in inetOrgPerson.

Michael
--
_______________________________________________________________

Michael Bell                    Humboldt-Universitaet zu Berlin

Tel.: +49 (0)30-2093 2482       ZE Computer- und Medienservice
Fax:  +49 (0)30-2093 2704       Unter den Linden 6
[hidden email]   D-10099 Berlin
_______________________________________________________________

smime.p7s (11K) Download Attachment