Hi,
the email address attribute in the CA DN has been a headache for several
years. If there is a chance to remove it we definitely should do it.
cheers
(in incognito from xmas break)
alessandra
On 21/12/10 18:10, Jens Jensen wrote:
> On 21/12/2010 14:14, Stephen Burke wrote:
>> The OGF CAOPS profile document says "The attribute pkcs9email
>> ("emailAddress") SHOULD NOT be used in subject names" (page 11), and as
>> far as I can see it has said that since the first version of the
>> document in 2006 ... you're an author of that document, so why is it
>> taking the UK CA so long to fix this?!
> Hi Stephen,
>
> Thanks for the response.
>
> Well it is taking us a long time because we have gone to great lengths
> to ensure that names stay the same... we have it for historical reasons
> - the namespace even predates the CA.
>
> SHOULD means we must understand the consequences of not doing as
> recommended, and I think we do.
>
> Having said that, I think the past is slowly is catching up with us and
> we will need to modernise our certificates soon - switch to v2 CRLs(!),
> get rid of Netscape extensions and replace with extended key usage,
> maybe optionally lose the emailaddress. (It helps the server's identity
> should be based on the subject alternative name, the trouble is when the
> host acts as a client, it is the DN which appears in the log file and I
> believe the original purpose of the email address was to give the
> recipient an idea of which user/group had connected via a host
> certificate - but I could be wrong.)
>
> Cheers
> --jens
|