There is one more problem with attributes and official CA's. If you are your own CA, it makes a big difference (less trust around in the world - but you can enforce any attribute verification policy that you choose yo).
Atttributes are added at the time of certification (good - so they can't be maliciously changed/removed/added later), but currently CA's do NOT verify them (bad - crap placed in by the identity owner is still crap). Thus, you can prove that you are Hubert - and add a whole bunch of stuff about you (the tallest man in Germany, undercover assistant of UN Secretary General, whatever). Resulting cert will contain a mix of true statements with something "uncertain". A solution can be "Attribute Certificate". I dont know if it makes sense to you - running your own CA you're free to do what's right regardless of what VeriSign is doing. Sorry I didn't answer your question - somebody more knowledgeable about OpenSSL will explain why it exhibits what I consider a bug (whatever is placed in the CSR must be signed IMHO). > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Quarantel, Hubert > Sent: Wednesday, September 06, 2006 08:46 > To: openssl-users@openssl.org > Subject: Including attributes in the signed certificate > > Hi ! > > I'm trying to include attributes/fields in a signed certificate. > > I've first issued a CSR with some extra attributes in it, > here's what the CSR looks like with openssl req -in test.csr > -text -noout : > > Certificate Request: > Data: > Version: 0 (0x0) > Subject: O=TEST, OU=Support, > CN=TEST/[EMAIL PROTECTED] > Subject Public Key Info: > Public Key Algorithm: dsaEncryption > DSA Public Key: > pub: > (snip) > P: > (snip) > Q: > (snip) > G: > (snip) > Attributes: > countryName :FR > localityName :Paris > uidNumber :4321 > gidNumber :1234 > uid :test > Signature Algorithm: dsaWithSHA1 > (snip) > > I'm very happy so far, as I the attributes/fields > countryName, uid, uidNumber, ... I added in the > [req_attribute] of the default openssl.cnf file, along with > their respective OIDs in the [new_oids] section. > > But, when I sign the certificate request with that same > openssl.cnf file, either with openssl ca or with openssl > x509, the produced certificate does not include those > attributes, as shown by openssl x509 -text -in test.crt -noout > > Certificate: > Data: > Version: 3 (0x2) > Serial Number: 2 (0x2) > Signature Algorithm: sha1WithRSAEncryption > Issuer: CN=TEST CA, O=TEST/[EMAIL PROTECTED] > Validity > Not Before: Sep 6 11:09:06 2006 GMT > Not After : Sep 7 11:09:06 2006 GMT > Subject: O=TEST, OU=Support, > CN=TEST/[EMAIL PROTECTED] Subject Public Key Info: > Public Key Algorithm: dsaEncryption > DSA Public Key: > pub: > (snip) > P: > (snip) > Q: > (snip) > G: > (snip) > X509v3 extensions: > X509v3 Basic Constraints: > CA:FALSE > Netscape Comment: > OpenSSL Generated Certificate > X509v3 Subject Key Identifier: > > 19:88:DF:ED:6C:82:86:BA:91:81:AA:1A:A4:55:A7:5C:20:7B:5A:62 > X509v3 Authority Key Identifier: > > keyid:CF:A8:E1:B1:BD:5C:B2:55:9B:20:F5:44:8E:36:D2:F4:E6:E9:10:FF > > Signature Algorithm: sha1WithRSAEncryption > (snip) > > > > > Would anyone help me ? or at least tell me where I got wrong ? > > Thanks for any kind of help, > > Hubert, > > UNIX is user friendly. > It's just selective about who its friends are. > > > > > > > > > > > > > > ******************************** > Ce message et les pièces jointes sont confidentiels et > établis à l'attention exclusive de ses destinataires. Toute > utilisation ou diffusion, même partielle, non autorisée est > interdite. Tout message électronique est susceptible > d'altération. Brink's décline toute responsabilité au titre > de ce message s'il a été altéré, déformé ou falsifié. Si vous > n'êtes pas le destinataire de ce message, merci de le > détruire et d'avertir l'expéditeur. > > This message and any attachments are confidential and > intended solely for the addressees. Any unauthorized use or > disclosure, either whole or partial is prohibited. E-mails > are susceptible to alteration. Brink's shall not be liable > for the message if altered, changed or falsified. If you are > not the intended recipient of this message, please delete it > and notify the sender. > ************************************* > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager > [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
