It doesn't makes much sense to add attributes to certs if values of those attributes can't be verified. Attribute Certificate seems the right way to go (thanks, Vijay!).
The question is - do our "mainstream" CA's (such as VeriSign, etc.) support Attribute Certificate? Tnx! > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Sascha Kiefer > Sent: Friday, August 04, 2006 10:00 > To: openssl-users@openssl.org > Subject: RE: extending a PKCS12 certificate > > Hi Gerd, > > It will. But as Dmitrij already pointed out that there are > Attribute Certificates. > Those attributes are not part of the signed data, so they can > be change (but also by anybody). > > But inside a PKCS there are at least safe and for internal > use, it might work. (But you do not want to send login > information that maybe stored in a public certificate send to > the outside world, so for my understanding, it will no longer > be a public certificate, would it?) > > So long, > --sk > > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > [EMAIL PROTECTED] > Sent: Freitag, 4. August 2006 17:24 > To: openssl-users@openssl.org > Subject: RE: extending a PKCS12 certificate > > Hello Sascha, > > wouldn't this invalidate the digest and therefor the entire > certificate? > If changing the arbitrary data does not invalidate the > certificate, it must not be part of the digest, but then > everybody would be able to change it. > > And just adding the arbitrary data to the PKCS12 file would > not make those data more trustworthy either. If this is > possible at all. > > With kind regards > > Gerd > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Sascha Kiefer > > Sent: Friday, August 04, 2006 2:11 PM > > To: openssl-users@openssl.org > > Subject: RE: extending a PKCS12 certificate > > > > As far as i know, PKCS12 is just a combination of your > private key and > > the public certificate. So, it should be possible to extract the > > certificate, make the changes and pack it together with the private > > key again. > > > > -----Original Message----- > > From: [EMAIL PROTECTED] > > [mailto:[EMAIL PROTECTED] On Behalf Of Theodore Olen > > Sent: Freitag, 4. August 2006 15:31 > > To: openssl-users@openssl.org > > Subject: extending a PKCS12 certificate > > > > Hello all, > > > > I would like to ask a question about PKCS12 certificates. > > > > Is it possible to extend a PKCS12 certificate with arbitral data? I > > would like to extend a given certificate with user data > (such as login > > and > > password) in such a way that the output certificate is > still a valid > > certificate. > > > > If so, can this be done with OpenSSL? How do I extract the > extensions? > > > > Thanks in advance. Kind regards, > > > > Theodore > > > > _________________________________________________________________ > > Meer ruimte nodig? Maak nu je eigen Space http://spaces.msn.nl/ > > > > > ______________________________________________________________________ > > OpenSSL Project > http://www.openssl.org > > User Support Mailing List > openssl-users@openssl.org > > Automated List Manager > [EMAIL PROTECTED] > > > > > ______________________________________________________________________ > > OpenSSL Project > http://www.openssl.org > > User Support Mailing List > openssl-users@openssl.org > > Automated List Manager > [EMAIL PROTECTED] > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager > [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]