Massimiliano Pala <[EMAIL PROTECTED]> writes:
> "William M. Perry" wrote:
> >
> > "Salz, Rich" <[EMAIL PROTECTED]> writes:
> >
> > > >>How are you going to handle multiple OUs? In the case where a certificate
> > > >>contains 4 multiple OUs but a user DN only contains one of those 4?
> > >
> > > Shouldn't the user DN exactly match the "subject" field from the cert?
> > > If not, when and why not?
> >
> > It won't always be the case that your directory structure will map
> > _exactly_ to your certificate heirarchy. If you are your own CA and are
> > being very careful, or using a tightly integrated directory service and
> > cert management server (like netscapes upcoming stuff), then it will.
> >
> > But if you want to use something like Verisign to get your certificates,
> > their certs are pretty nasty looking and I would _not_ want my directory to
> > look like that. :)
> >
> > > >> I search in LDAP just by e-mail, and I compare the whole certificate byte
> > > >> to byte with the client one, to check if they're same cert.
> > > >We need to be more flexible about this though - not everybody will be
> > > >putting 'email' in their certificates, etc.
> > >
>
> Searching by e-mail doesn't mean you search certificate's e-mail, but the
> attribute
>
> email: someone@somewhere
>
> in the LDAP directory. When found the email, than you get the user's certificates.
Yes, but you need to somehow get 'someone@somewhere' out of the
certificate in order to form your LDAP query. This is what I use the
rfc1485-ish format of X509_get_subject_name() to get.
> P.S.: I think e-mail is very useful either because if you want to use it
> in signing you netscape will not be very happy about it (could mark
> messages with "Invalid Signature") and expecially because if someone
> needs to contact the certificate's user (the CA, let's say to renew it or
> to get confirmation for revoking it) he needs an email address...
It can be useful, but I think people are exposing entirely too much
information in their certificate names nowadays. Things like your title or
division can expose too much information about you to an attacker. If
someone wants to get at the financial info of aventail, and our CFO had
'Chief Financial Officer' as his title whereas I just had 'Unix Dweeb' or
nothing, they would know who to concentrate on. :)
Of course, this same info is available on your business card, but... :)
-Bill P.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
