Hi Lior:
On March 11, 2009 12:33:46 pm Lior Aharoni wrote:
> You can see that we have some differences:
>
> 1. E= in windows and emailAddress= in openssl
> 2. S= in windows and ST= in openssl
>
>
>
> Does someone know if there is a way of retrieving the data using openssl
> that will result the same subject string that windows show?
>
>
>
I think you should be asking if there is a way to have Windows not mangle the
field names :)
In RFC 2256, which is Normative for LDAP, the correct field name for "STATE"
is:
5.9. st
This attribute contains the full name of a state or province
(stateOrProvinceName).
( 2.5.4.8 NAME 'st' SUP name )
So Microsoft's 'S' is clearly not standard's compliant.
and
In RFC 2459 Section 4.1.2.6, which has been deprecated, the correct field name
for expressing an email address is:
pkcs-9 OBJECT IDENTIFIER ::=
{ iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) 9 }
emailAddress AttributeType ::= { pkcs-9 1 }
Again here, Microsoft invented 'E' out of thin air... there is no definition
for a field of that name that *I* can find anywhere.
Of course, since RFC2459 is deprecated, to be more correct, OpenSSL SHOULD
use "email" as the field name, but probably doesn't, since only legacy CA's
should be including email addresses in their Subject Names. Modern CA
implementations should NOT have the email address in the Subject name, and
instead have it as one of the values in subjectAltName.
So, Microsoft is just inventing clever shortcuts, whereas OpenSSL is following
the standards. I would complain to Microsoft, if I were you :)
Have fun.
--
Patrick Patterson
President and Chief PKI Architect,
Carillon Information Security Inc.
http://www.carillon.ca
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
