> On 2 Jul 2020, at 19:29, Michael Richardson <mcr+i...@sandelman.ca> wrote: > > Signed PGP part > > Eliot Lear <lear=40cisco....@dmarc.ietf.org> wrote: >> I have no objection. My only caution is that otherName is poorly >> supported in the open source tool sets, but that is something we could >> conceivably work on. > > I disagree! > otherName is adequately supported (if poorly documented) in openssl.cnf for > our purposes. > Creating otherName SAN extensions from library interface is fully supported. > > The openssl x509 -text output program does not know how to format arbitrary > otherName text, so it just says <unsupported>.
Whereas for a URI it will actually provide you the URI. Also, if the otherName is at all complex, the openssl.cnf file is entirely counter-intuitive. This having been said, one needn’t write to OpenSSL’s limitations. Eliot > > Here is an proprietary otherName that I created awhile ago, implemented in > ruby: > > # the OID: 1.3.6.1.4.1.46930.1 is a Private Enterprise Number OID: > # iso.org.dod.internet.private.enterprise . SANDELMAN=46930 .. 1 > @idevid.add_extension(extension_factory.create_extension( > "subjectAltName", > sprintf("otherName:1.3.6.1.4.1.46930.1;UTF8:%s", > self.sanitized_eui64), > false)) > > The hardest part was figuring out the ";UTF8:" part, as I had to read the C > code underneath to learn how that worked. > (false, is I think, whether it is critical) > > -- > Michael Richardson <mcr+i...@sandelman.ca>, Sandelman Software Works > -= IPv6 IoT consulting =- > > > > >
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima