On 15-03-13 18:14, Stephen Jones wrote:
> On 03/15/2013 04:38 PM, Stephen Burke wrote:
>> The best solution is of course not to have email addresses in DNs
>
> Yes, agreed - that's the best message to send out from now on.
>
> But it's rather like the joke about the American tourist who stops
> in the middle of Ireland and asks a local how to get to Limerick.
> The local answers "If I were you, I wouldn't start from here" ...
>
> If I hadn't had an email address in the DN, I would not have found
> the "bug", which, by the way, doesn't occur in EMI 1 or 2, for some
> reason.
>
> Perhaps the release papers for EMI3 ARGUS should say to avoid
> emails in DNs (if they don't already). Of course, everyone reads
> the release papers assiduously!
>
> Anyway, have a great weekend, all.
>
> Steve
Mid-weekend back story:
There are a bunch of RDNs (sub-parts of a Subject DN) banned from usage
because different SSL libraries can represent them differently.
In this case you've uncovered a difference between the representation
for Email or EMAILADDRESS or emailAddress between OpenSSL and Java-based
libraries, i.e. like to be bouncycastle.
There are a few more of these like UID and SN (Serial number or Surname)
that should not be used. Likewise there exist Microsoft and Apple
specific elements too for which there is no string representation
available in most other SSL stacks.
Bottomline:
The GGUS ticket was already mentioned, but I would also try to hint the
CA to stop using these elements. The root of the topic is many years old
and well known. It's a matter of time before another tool somewhere
needs fixing caused by the same type of problem.
Oscar
|