I'm not certain that using the subjectAltNames field is the "proper"
thing to do.
The problem I see is that you may wish to use a certificate at more
than one site, with possibly different usernames.
Even if you can store an arbitrarily long list of local usernames
in *any* of the fields in a certificate, you must still maintain
a local list to check to see if the identity claimed by the local
username is acceptable, and which certificate subject is associated
with it.
Perhaps a file mapping a certificate subject name to a local
username is a better solution. The certificate can be used at sites
with different usernames that aren't known at certificate issue time,
and doesn't require extra baggage in the certificate.
>
> >One approach would be to use the email field.
>
> No no no no no no no no!
>
> There is no such thing as an "email" field. Many older
> CA's (eg., the early Verisign's) used this RDN, which
> was defined in PKCS9. *That's wrong.*
>
> The proper thing to do is use the subjectAltNames
> extension.
> /r$
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
