In message <[EMAIL PROTECTED]> on Wed, 10 Dec 2003 16:12:11 -0500, Rich Salz <[EMAIL PROTECTED]> said:
rsalz> > Uhmm, so you want to create something that could be in contradiction rsalz> > with what's written in the policy section (did you look there?)? And rsalz> > in case of contradiction, what takes priority, the _required setting rsalz> > or the policy setting? rsalz> rsalz> Yes, it's possible to get things out of sync. But more rsalz> usefully, it's also possible to "head off" bad requests by rsalz> making the user enter fields that the CA requires. OF course, rsalz> if things are out of sync, the CA and its policy take rsalz> precedence. What happens now if a cert request contains an RDN rsalz> that isn't in the CA's policy? I don't see how _required is rsalz> any different from that. Wait, I'm wondering if you're not a little bit confused here. Aren't we talking about building a CSR here? Now, you're talking about an already existing CSR, ... And oh, actually, it's I who's confused! The [ policy_whatever ] stuff is used by 'openssl ca', while the stuff you're talking about is used by 'openssl req'... *engaging brain* There, I feel better now :-). rsalz> I understand the semantics of _min, it just surprised me, rsalz> that's all. A zero-length field doesn't meet the minimum rsalz> length. :) I was expecting "strlen(p) == 2" not "*p == '\0' || rsalz> strlen(p) == 2", as it were. rsalz> rsalz> The problem is the inconsistencies. Why doesn't the CA get rsalz> automated enforcement checking of lengths, just whether or not rsalz> a field is there? Etc. Why can't the "req" command be able to rsalz> format a request (and prompt for fields) that is most like what rsalz> the CA wants? (Sometimes it might fail, if the CA changes rsalz> policies or a difference CA signs things, but you get the rsalz> point.) So basically, you want 'openssl req' to be able to reject '.' as an answer to some of the prompts... As for the CA, I'm not sure it should redo the kind of enforcement you're talking about, but it may be worth pondering over... rsalz> If you don't like my _required change -- and wouldn't that be the first rsalz> time OpenSSL rejected a not-incompatible feature? -- would you accept rsalz> something that added a "-policy" argument to the req command? I could rsalz> at least use match or supplied to mean "a required field". Yes, actually, I would much rather reuse the policy section. That wouldn't add to the possible conflict, at least in spirit (provided the CSR builder and the CA operator use the same configuration file). ----- Please consider sponsoring my work on free software. See http://www.free.lp.se/sponsoring.html for details. You don't have to be rich, a $10 donation is appreciated! -- Richard Levitte \ Tunnlandsvägen 3 \ [EMAIL PROTECTED] [EMAIL PROTECTED] \ S-168 36 BROMMA \ T: +46-8-26 52 47 \ SWEDEN \ or +46-708-26 53 44 Procurator Odiosus Ex Infernis -- [EMAIL PROTECTED] Member of the OpenSSL development team: http://www.openssl.org/ Unsolicited commercial email is subject to an archival fee of $400. See <http://www.stacken.kth.se/~levitte/mail/> for more info. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
