Re: [openssl-users] Re: adding certificate policies extension in CSR

Willy Weisz Mon, 09 Sep 2013 05:43:46 -0700


Am 09.09.2013 12:13, schrieb phildoch:
> Ok. So meanwhile, unless it will be proven that is is illegal, 
Looking at the IETF RFCs, none that I found explicitly or implicitly
indicated a meaningful use of the certificate policies entry in a CSR.
On the other hand the semantics of this entry means that it can be used
to check whether the certificate issuer has a policy that allows the
relying party to trust it, and thus accept the data signed using the
private key associated with the certificate's public key component.


The certificate is a kind of ID document for the data sent and its
relation to its originator. In this sense putting a certificate policy
in a CSR is like requesting the issuance of a passport based on the
requester's wishes not the policy of the public authority issuing the
document.

Allowing a certificate policy entry in the CSR without considering it
for the issuance of a certificate would be consistent with the semantics
of the certification policies, but pure nonsense.

> let's say that
> for any reason the Certificate requester wants to add a "certificate
> policies" extension in the CSR.
> Is this syntax correct:?
>  add_ext(exts, NID_certificate_policies, "1.3.6.1"); 
> (based on function mkreq() in file
> openssl/demos/x509/openssl/demos/x509/mkreq.c)
>
>  Thanks
>   
>
>
>
> --
> View this message in context: 
> http://openssl.6102.n7.nabble.com/adding-certificate-policies-extension-in-CSR-tp46467p46471.html
> Sent from the OpenSSL - User mailing list archive at Nabble.com.
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    openssl-users@openssl.org
> Automated List Manager                           majord...@openssl.org

-- 
-----------------------------------------------------------
Willy Weisz

             Computational Science Center
                 University of Vienna
               Oskar Morgenstern-Platz 1
                    A-1090 Wien
Tel: (+43 1) 4277 - 23724        Fax: (+43 1) 4277 - 823724
Mobile: +43 699 10109546   e-mail: willy.we...@univie.ac.at

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Re: [openssl-users] Re: adding certificate policies extension in CSR

Reply via email to