Indeed the pragmatic solution is the only reasonable/easy way forward. The RFC and GFD documents do not however forbid emailAddress in a subject name -- but -- GFD.125 is going through a conversion process from informational document to recommendation. I've just suggested that they might want to strengthen the non-use of emailAddress recommendation. BTW, I think the problem is worse than not having a standard way to stringify a DN but the detail is probably too long for this list. Mike On Friday 05 August 2011 14:09:42 Stephen Burke wrote: > Testbed Support for GridPP member institutes [mailto:TB- > > > [log in to unmask]] On Behalf Of Mike Jones via mobile said: > > But this is not a bug in the way we issue certificates or how the voms > > server works but a longstanding issue with how middleware uses them and > > how the various libraries decode them. Ultimately changing the > > operation of the CA might be the pragmatic solution but it doesn't fix > > the underlying issue. > > The underlying issue is not really fixable in any fundamental way, the > problem is the lack of a standards body to decide which format is correct. > In practice the only way out is not to use the email address DN component > at all, and that has been the recommendation for CAs for many years, but > unfortunately the UK CA has not implemented it up to now. > > Stephen