Hiya
Having pioneered CGI variables for all sorts of cert issuer DN and
subject DN elements (with Sioux 1.0 way back God knows when) I have to
say I've gone off them in favour of passing out the full certs if
possible. I think it's dangerous for people to work with "subject_ou"
when there may be a cert chain involved that is vitally important to
their work.
Also, as soon as you start having SSL cgi variables for DN elements you
have to decide (a) which DN elements you support (believe it or not, but
early IBM servers regularly have postal codes in their DNs - using the
correct X.509 DN elements too), and (b) what you do about DN elements
you don't support.
Oh, and then there is the fact that it's perfectly legit to have two OU
elements in a cert.
That said... not everybody can easily pull a cert apart and get at the
info they want. Hmmm.. I don't know.
Ramble, ramble, I'll be quiet now ;-)
--
Mark Shuttleworth
Thawte
S/MIME Cryptographic Signature
