"William M. Perry" wrote:
> > Searching by e-mail doesn't mean you search certificate's e-mail, but the
> > attribute
> >
> > email: someone@somewhere
> >
> > in the LDAP directory. When found the email, than you get the user's certificates.
>
> Yes, but you need to somehow get 'someone@somewhere' out of the
> certificate in order to form your LDAP query. This is what I use the
> rfc1485-ish format of X509_get_subject_name() to get.
You can simply make the user send you his e-mail while requesting the
certificate, then you have it: simply add an entry to the LDAP for him
abnd add the email: attribute.
> It can be useful, but I think people are exposing entirely too much
> information in their certificate names nowadays. Things like your title or
> division can expose too much information about you to an attacker. If
> someone wants to get at the financial info of aventail, and our CFO had
> 'Chief Financial Officer' as his title whereas I just had 'Unix Dweeb' or
> nothing, they would know who to concentrate on. :)
>
> Of course, this same info is available on your business card, but... :)
I think that a certificate with your name and e-mail/org/ou will not hurt
anyone: ou can be set to something like a code useful to you (not necessary
you have to put "Project Manager" just use 01PJS456 ...)
No other personal data will be present on the certificates. What you add
to the LDAP directory and how you control accesses to it ... it is something
different...
C'you,
Massimiliano Pala ([EMAIL PROTECTED])
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
