"Salz, Rich" <[EMAIL PROTECTED]> writes:
> >>How are you going to handle multiple OUs? In the case where a certificate
> >>contains 4 multiple OUs but a user DN only contains one of those 4?
>
> Shouldn't the user DN exactly match the "subject" field from the cert?
> If not, when and why not?
It won't always be the case that your directory structure will map
_exactly_ to your certificate heirarchy. If you are your own CA and are
being very careful, or using a tightly integrated directory service and
cert management server (like netscapes upcoming stuff), then it will.
But if you want to use something like Verisign to get your certificates,
their certs are pretty nasty looking and I would _not_ want my directory to
look like that. :)
> >> I search in LDAP just by e-mail, and I compare the whole certificate byte
> >> to byte with the client one, to check if they're same cert.
> >We need to be more flexible about this though - not everybody will be
> >putting 'email' in their certificates, etc.
>
> Put "email" in how? As an RDN (gosh, I hope not!) or some other way?
Either as an RDN in the cert, or an extended attribute. Verisign's
low-assurance CA sticks your email in there. That's what I used to do a
lot of my testing of my mod_ssl integration.
-Bill P.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
