[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Can we form certificates with just name and e-mail address
- To: PKIX Mailing List <ietf-pkix@xxxxxxx>
- Subject: Re: Can we form certificates with just name and e-mail address
- From: Aram Perez <aram@xxxxxxxxxxx>
- Date: Mon, 19 Jun 2000 18:54:22 -0700
- In-reply-to: <>
- User-agent: Microsoft-Outlook-Express-Macintosh-Edition/5.02.2022
Hi Terry,
> From: thayes@netscape.com (Terry Hayes)
> Date: Mon, 19 Jun 2000 10:16:34 -0700
> To: Stefan Santesson <stefan@accurata.se>
> Cc: Stephen Kent <kent@bbn.com>, PKIX Mailing List <ietf-pkix@imc.org>
> Subject: Re: Can we form certificates with just name and e-mail address
>
> Stefan Santesson wrote:
>
>> ....
>>
>> Why can't an e-mail address be part of a reasonable DN? (I guess that's
>> what the current text implies)
>>
>
> There is no reason that it can't be. In fact, I believe that e=name@isp.com
> is a
> perfectly good DN. It's probably not a good DN in the X.509 world, since it
> isn't
> very helpful in locating the portion of the "global" directory that actually
> contains the entry. It is a unique name and probably will work in many LDAP
> or
> other directory environments.
I haven't seen any provide this answer so here I go: Someone can correct my
ASN.1, but a reason you shouldn't use "e=name@isp.com" in a/or as a DN is
that it does not meet the ASN.1 rules for a DN (the '@' symbol is not in one
of the valid character sets for DNs). There are a number of "public CAs"
that do put the '@' in a DN, but technically they are incorrect.
Regards,
Aram Perez
[snip]