Re: Basic Cert-2-Directory mapping question

["Stefan Kelm" <kelm@xxxxxxxxxx>]

Peter,

> >finally, the IETF has had a standard means of encoding a DNS name as a DN for 
> >several years, which suggests that there is at least one scheme that would 
> >work.
>  
> I assume you mean the RFC 2247 domainComponent?  It's a nice theory, but since 
> anyone who needs a URL/FQDN will use a GeneralName where it's available (which 
> is in most cases when it's required) and where only a DN is available will 
> stuff it into a CN like everyone else does and like everyone's software 
> expects, I can't see it ever going beyond being a nice theory (I have a vague 
> memory of actually having seen a solitary DC in a cert somewhere, but a quick 
> check of my collection has failed to locate one... does anyone know of 
> examples of these being used?  How does the average third-party app handle 
> them?).

we've used certificates with DC attributes (encoded as IA5STRING) with
customers. Needless to say that applications do have problems; most
will accept the certificates but will not display the full DN, esp.
not the DC attributes...  :)

Cheers,

	Stefan.


-------------------------------------------------------
Dipl.-Inform. Stefan Kelm
Security Consultant

Secorvo Security Consulting GmbH
Albert-Nestler-Strasse 9, D-76131 Karlsruhe

Tel. +49 721 6105-461, Fax +49 721 6105-455
E-Mail kelm@xxxxxxxxxx, http://www.secorvo.de
-------------------------------------------------------
PGP Fingerprint 87AE E858 CCBC C3A2 E633 D139 B0D9 212B