Hello Omar: On November 16, 2008 07:21:01 pm Massive Cava wrote: > Hi patrick > my goal would be to create an X509 certificate who carry those exstension > that i have described Infact i need the certificate to test an application > that i made in java wich produce SAML Assertion. In this certificate it's > mhy job to take care of these custom assertion, managung the new OID value > ... the real problem i have is how to configure openssl because i have > looked for some example aboutre creating custom extension but i have not > found yet. I can also put a default value in those extension, the best wold > be copy the value from an external source (for example the new field i told > that are in the certificate request ... is possible using the in this sense > ?) > The "right" way to do this is to have the user log into the Identity Provider using their certificate with only the fields CertificatePolicy, KeyUsage of "Digital Signature", and EKU of "Client Authentication", and then, based on that authentication, lookup the attribute in a directory somewhere and populate the SAML assertion with the value from the directory. As I said, having this information in the certificate is definitely not the best way to do what you are looking to accomplish. The best way to think of it is:
X.509 Certificates are for proving Identity. Federation Directories and assertions are for providing attributes about that particular identity. When you try and mix the two concepts, you *WILL* run into problems. Have fun. Patrick. > Thank you > Omar > > PS sorry for my bad english> Date: Sun, 16 Nov 2008 16:29:19 -0500> From: > [EMAIL PROTECTED]> To: openssl-users@openssl.org> Subject: Re: > Create a new extension> > Massive Cava wrote:> > Hi to all> > > > i nedd to > configure correctly he file openssl.cnf to create new extension, i can > modify the config. file and add some new field at the certificate request, > for example date of birth, uniqe ID of student and his level, but how can i > switch these field to X509 extension when i sign the certificate with the > command "ca ..." ???> > > Please tell me that you are not encoding these > values into an extension> in the certificate??? Unless you are doing > Attribute Certificates,> encoding these values in as arbitrary extensions > is probably NOT what> would be considered best practice, and will > definitely cause> implementation details.> > First of all, encoding some of > those values (Student Birthdays, etc.) in> a format whose design is to > assist in making a value public (the Public> Key) is possibly against the > educational or general privacy laws in a> number of countries (US, Canada, > Most of Europe). What you most likely> want to do is either use Attribute > Certificates (not supported by very> many implementations of anything > outside of the US DoD), or Federated> Attributes using a technology like > WS-Fed, or the Liberty Alliance SAML> specifications. This would allow you > to only provide those attributes to> only those sources that you know have > a pre-existing relationship with> the student, and thus a "need to know" > about those attributes.> > On a more practical note, if you encode those > kinds of values as> arbitrary extensions in a certificate, then you would > have to write code> into your Relying party code, to correctly interpret > those custom> extensions. Most organisations that I know don't want to > maintain their> own mod_ssl patches or ISAPI filters (assuming that you are > going to be> doing some sort of web application with these certificates).> > > All of that said, if you DO want help to implement something like this,> > then please provide the ASN.1 encoding that you would like to use for> the > extensions, and we can probably help you encode those custom extensions.> > > Just some advice from someone who has "been there, seen that, seen what> > happens 6 months later".> > Patrick.> > > > ______________________________________________________________________> > OpenSSL Project http://www.openssl.org> User Support Mailing List > openssl-users@openssl.org> Automated List Manager [EMAIL PROTECTED] > _________________________________________________________________ > Tutto il mondo MSN in un clic. Scarica la Toolbar! > http://toolbar.msn.com/overview.aspx?loc=it-it -- Patrick Patterson President and Chief PKI Architect, Carillon Information Security Inc. http://www.carillon.ca ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
