[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Emaill address in a certificate - NEW



Alon,

To answer one of your questions:

> 2. What is the right way add the eMail address to a 
> certificate that will be
> recognize by the common mailers as a valid certificate,
>    is the way that VeriSign does it in the DN, or in the extensions ?

E-mail addresses in new certificates should be included in the Subject
Alternative Name extension, rather than the subject DN.  The VeriSign
certificate that you refer to is an old certificate from 1997.
The IETF PKIX working group has deprecated the use of e-mail addresses in
DNs.

- Rich
---------------------------
Richard E. Nicholas
Senior Systems Engineer
Wang Government Services
Richard.Nicholas@xxxxxxxx
(301) 939-2722 


> -----Original Message-----
> From: Alon Barak [mailto:alon@xxxxxxxxxx]
> Sent: Thursday, May 25, 2000 8:32 AM
> To: 'imc-sfl@xxxxxxx'
> Cc: Zvi Agmon
> Subject: Emaill address in a certificate - NEW
> 
> 
> Hello
> First, I'm sorry the first mail was sent.
> I'm trying to create a certificate using the SFL v1.5 in C++ 
> application on
> winNT os.
> I created a DSA certificate using the 'auto_hi' tests project 
> without an
> eMail address in it, but I failed creating a certificate that 
> has an eMail
> address in it.
> Using the CML v1.6 I viewed at a certificate issued by 
> VeriSign and the
> eMail address was part of the subject DN,
> and there was no SubjectAltName extension.
> When I tried to create a new DSA certificate with an eMail 
> address in the
> subject DN
> 'subject_dn=emailAddress=Alon@xxxxxxxxxx@C=US@O=US Government@OU=VDA
> Site@OU=VDA@CN=Alon Barak DSA'
> or
> 'subject_dn=E=Alon@xxxxxxxxxx@C=US@O=US Government@OU=VDA
> Site@OU=VDA@CN=Alon Barak DSA'
> but it failed since the SFL did not recognize the 'E' or 
> 'emailaddress'
> prefix.
> so...
> 1. Who can I add the eMail address to the DN and to the extensions ?
> 2. What is the right way add the eMail address to a 
> certificate that will be
> recognize by the common mailers as a valid certificate,
>    is the way that VeriSign does it in the DN, or in the extensions ?
> 3. Do you have a C/C++ api for creating a public/private key pair ?
> 
> Thank in addvance 
> (and sorry about the first mail)
> Alon Barak
> Vanguard Security Technologies Ltd.
> Tel: 972-4-9891311 (Ext. 221); 
> Fax: 972-4-9891322
> mailto:Alon@xxxxxxxxxx
>