On Thu, May 05, 2011 at 03:32:34PM -0400, Daniel Kahn Gillmor wrote: > Is it really forbidden? I'm pretty sure i have X.509 certificates with > an emailAddress in them. For example, take a look at > > /etc/ssl/certs/spi-cacert-2008.pem
Perhaps not, but /usr/include/gnutls/x509.h contains /* The following should not be included in DN. */ #define GNUTLS_OID_PKCS9_EMAIL "1.2.840.113549.1.9.1" > Have you looked at the structure and contents of an S/MIME e-mail > signing X.509 certificate issued by one of the members of the CA cartel? I have not. > As i read the docs [0], this will only return otherName members of the > subjectAltName field, so you won't get anything for, say, dNSName > members of the subjectAltName [1]. And i don't see any guarantee that > additional otherName designees will not get defined by future versions > of gnutls; but maybe we should raise this question on the gnutls > development list. I'm not sure this is a problem; either the SAN holds a peername which matches a OpenPGP uid associated with the pkcdata, or it doesn't. If the issue is X.509 certs generated by someone else, then of course having GnuTLS, mod_gnutls, and Monkeysphere all able to understand the same field would be helpful. _______________________________________________ Modules mailing list Modules@lists.outoforder.cc http://lists.outoforder.cc/mailman/listinfo/modules