[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: source of "Friendly name"

To: Francis Dupont <Francis.Dupont@xxxxxxxxxx>, yannick quenechdu <yquenechdu@xxxxxxxxxxxx>
Subject: RE: source of "Friendly name"
From: Ryan Hurst <Ryan.Hurst@xxxxxxxxxxxxx>
Date: Tue, 30 Jan 2007 05:55:25 -0800
Cc: <md@xxxxxxxx>, <ietf-pkix@xxxxxxx>
In-reply-to: <200701300842.l0U8gNSt017859@xxxxxxxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: Your message of Tue, 30 Jan 2007 00:29:55 +0100. <45BE8373.4030802@xxxxxxxxxxxx> <200701300842.l0U8gNSt017859@xxxxxxxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx
Thread-index: AcdEW4qgzu22K4W0TJ2N8kuxj4K9ngAGj11Q
Thread-topic: source of "Friendly name"

CryptoAPI doesn't (normally) use Friendly Names as extensions in
certificates but instead uses them as properties that stored with a
certificate, it's a label provided by the user/application at generation
time that can be used to identify a specific certificate without
certificate specific knowledge.

Think of values like "My Bank Certificate", "My Work Certificate", etc.

When CryptoAPI exports a certificate into a P12 it also stores (if I
recal correctly) the friendly name if it was there.

Ryan

-----Original Message-----
From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-pkix@xxxxxxxxxxxx]
On Behalf Of Francis Dupont
Sent: Tuesday, January 30, 2007 12:42 AM
To: yannick quenechdu
Cc: md@xxxxxxxx; ietf-pkix@xxxxxxx
Subject: Re: source of "Friendly name" 

 In your previous mail you wrote:

   Moudrick M. Dadashov a ecrit :
   > Hello,
   >
   > anybody knows what is the source of so called "Friendly Name"
displayed by
   > Microsoft certificate viewer? I can't find any extensions for this
field
   > either.
   >   
   The cert associated with the private key had "friendly name"
associated 
   with it. Is similar with alias in JKS file or see
   openssl when you create PKCS12, you have a option "Friendly Name".

   Note : friendly names are optional in windows but required by NSS 
   (mozilla). If the PKCS12 file was created without a
   friendly name for the cert, that's why it failed.

=> perhaps Moudrick was looking for the OID?
iso(1) member-body(2) US(840) rsadsi(113549) pkcs(1) pkcs9(9)
friendlyName(20)

In openssl pkcs12 related options are:
-name "name"  use name as friendly name
-caname "nm"  use nm as CA friendly name (can be used more than once).

Regards

Francis.Dupont@xxxxxxxxxx

PS: PKCS9 is RFC 2985 too, friendlyName is section 5.5.1, syntax is:

   friendlyName ATTRIBUTE ::= {
           WITH SYNTAX BMPString (SIZE(1..pkcs-9-ub-friendlyName))
           EQUALITY MATCHING RULE caseIgnoreMatch
           SINGLE VALUE TRUE
           ID pkcs-9-at-friendlyName
   }

with

   pkcs-9-ub-pkcs9String         INTEGER ::= 255
   pkcs-9-ub-friendlyName        INTEGER ::= pkcs-9-ub-pkcs9String

   pkcs-9 OBJECT IDENTIFIER ::= {iso(1) member-body(2) us(840)
                                 rsadsi(113549) pkcs(1) 9}
   pkcs-9-at-friendlyName             OBJECT IDENTIFIER ::= {pkcs-9 20}

References:
- Re: source of "Friendly name"
  - From: yannick quenechdu
- Re: source of "Friendly name"
  - From: Francis Dupont

Prev by Date: RE: Is eMail address in SubjectAltName still necessary
Next by Date: Re: Is eMail address in SubjectAltName still necessary
Previous by thread: Re: source of "Friendly name"
Next by thread: RE: SHA 1 vs. SHA 256 for Root CA
Index(es):
- Date
- Thread