Holger Reif wrote:
>
> Kaur Virunurm schrieb:
> >
> > So, again:
> > The bug in openssl is that ca application may drop some fields from the
> > incoming certificate request without any warning or notification.
>
> This is philosophy: The *CA* determines what should go into
> the cert, not the *requestor*. So it is fine to ignore
> all but what the CA wanted to have in the cert. Wether
> there should be a big flash "Hey, the user wants to
> trick you into something!" is another question.
>
> But i see it as follows: The user is not under your control,
> the CA (hopefully ;-) is. So everything you can do is to
> assure that all goes the way *you* like. Why should you
> care about the wishes of the users?
>
I have a quick look at the code and it might just be a "feature". If you
use the -preserve option to make the certificate follow the request DN
ordering then it looks like it copies all the attributes including those
not specified in the policy.
Perhaps an addional option in the policy section "other" for "any other
field" with the options "discard", "copy", "reject" would be in order
with the default being "discard".
This is all going to need re-doing anyway if/when extensions handling is
added to certificate requests.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
