> the email address attribute in the CA DN has been
Sorry I meant
the email address attribute in the UK CA hosts DNs has been....
cheers
(always in incognito)
alessandra
On 21/12/10 19:30, Alessandra Forti wrote:
> Hi,
>
> the email address attribute in the CA DN has been a headache for
> several years. If there is a chance to remove it we definitely should
> do it.
>
> cheers
> (in incognito from xmas break)
> alessandra
>
> On 21/12/10 18:10, Jens Jensen wrote:
>> On 21/12/2010 14:14, Stephen Burke wrote:
>>> The OGF CAOPS profile document says "The attribute pkcs9email
>>> ("emailAddress") SHOULD NOT be used in subject names" (page 11), and as
>>> far as I can see it has said that since the first version of the
>>> document in 2006 ... you're an author of that document, so why is it
>>> taking the UK CA so long to fix this?!
>> Hi Stephen,
>>
>> Thanks for the response.
>>
>> Well it is taking us a long time because we have gone to great lengths
>> to ensure that names stay the same... we have it for historical reasons
>> - the namespace even predates the CA.
>>
>> SHOULD means we must understand the consequences of not doing as
>> recommended, and I think we do.
>>
>> Having said that, I think the past is slowly is catching up with us and
>> we will need to modernise our certificates soon - switch to v2 CRLs(!),
>> get rid of Netscape extensions and replace with extended key usage,
>> maybe optionally lose the emailaddress. (It helps the server's identity
>> should be based on the subject alternative name, the trouble is when the
>> host acts as a client, it is the DN which appears in the log file and I
>> believe the original purpose of the email address was to give the
>> recipient an idea of which user/group had connected via a host
>> certificate - but I could be wrong.)
>>
>> Cheers
>> --jens
|