[RFC] EXTERNAL auth choosing between CN and email address?
marco at esi.it
Fri Feb 25 06:06:04 EST 2005
Kevin P. Fleming wrote:
> Marco Colombo wrote:
>> What field is that, exaclty? v3 extension?
> I'm not sure... it's in the OpenSSL headers files as
Oh, I know nothing of OpenSSL API. It seems too me (but I'm not sure)
it's the emailAddress attribute in the DN. Some time ago I did some
research, and found this:
In addition, legacy implementations exist where an RFC 822 name is
embedded in the subject distinguished name as an EmailAddress
attribute. The attribute value for EmailAddress is of type IA5String
to permit inclusion of the character '@', which is not part of the
PrintableString character set. EmailAddress attribute values are not
case sensitive (e.g., "fanfeedback at redsox.com" is the same as
"FANFEEDBACK at REDSOX.COM").
Conforming implementations generating new certificates with
electronic mail addresses MUST use the rfc822Name in the subject
alternative name field (see sec. 220.127.116.11) to describe such
identities. Simultaneous inclusion of the EmailAddress attribute in
the subject distinguished name to support legacy implementations is
deprecated but permitted.
So it seems its usage is deprecated. If you are to code a patch, you
may look into the alternative name(s). Those are standard v3 extensions.
As I understand it, comforming applications should look there in order
to find email addresses (of type rfc822Name). Of course, since you're
using your own CA, you could use whatever field/attribute, but keeping
an eye on standards won't hurt, IMHO. And after all your own mail was
an RFC. :-)
____/ ____/ /
/ / / Marco Colombo
___/ ___ / / Technical Manager
/ / / ESI s.r.l.
_____/ _____/ _/ Colombo at ESI.it
Cyrus Home Page: http://asg.web.cmu.edu/cyrus
Cyrus Wiki/FAQ: http://cyruswiki.andrew.cmu.edu
List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
More information about the Info-cyrus