Uh, naughty. But in practice I would expect there wouldn't
be any collisions.
The UK at least doesn't let people request "@" in the DN
- can't think of any CA that does, except DoE was thinking
about it. "@" is not valid in printableString and other
encodings often don't work although the situation may be
better these days.
-j
-----Original Message-----
From: Kostas Georgiou [mailto:[log in to unmask]]
Sent: 22 August 2006 12:19
To: Jensen, J (Jens)
Cc: [log in to unmask]
Subject: Re: DCache and DN's including the Email
On Tue, Aug 22, 2006 at 11:54:59AM +0100, Jensen, J (Jens) wrote:
> Makes sense - "/E=" is Yet Another Way To Print Email As A String(tm)
> - this one a javaism.
>
> At least we know what the problem is, but it's ugly having to hack
> the mapfiles.
Notice the difference:
mapping "/C=IT/O=INFN/OU=Personal Certificate/L=Bari/CN=Nicola De Filippis/E=Nicola.defilippis" cms001
mapping "/C=IT/O=INFN/OU=Personal Certificate/L=Bari/CN=Nicola De [log in to unmask]" cms001
Dcache needs everything after the @ dropped and it's not unlikely that
in the future @ might be in use outside the email. Is anything stopping
a user from requesting a cetificate with a @ in it right now?
I suspect that if I ask for "/C=UK/O=eScience/OU=CLRC/L=RAL/CN=jens g jensen@someotherstring"
I will not get it unless the system is automated (but isn't one of the swiss
ones automated?).
Kostas
|