[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Alternate names in certificates



On Mon, 14 Jul 2003, Michael Ströder wrote:

> > This is a known limitation (bug) in OpenSSL 0.9.6. I don't recall if it's
> > been fixed in 0.9.7 or 0.9.8. (That is, extensions in the cert request are
> > not propagated into the signed certificate.)

I'm using OpenSSL 0.9.7b 10 Apr 2003.

> It's rather off-topic here but please note that most CAs won't propagate the
> extensions from CSR into the certificate. Therefore I'd not consider this a
> bug in OpenSSL. This limitation is a security feature. I'd like to emphasize
> that you *should not* automatically propagate the extensions from the CSR to
> the EE certificate without filtering! CAs are even free to completely change
> the subject name according to their CP and CPS.

Yeah, I thought about it, since it seems like an obvious omission, and
concluded it was a security feature.  You really want to trust as little
user input as possible, so you need to convince the CA to put it in.

> Also with X.509 certificates you have to exactly know what you are doing!

Indeed, but this is strictly for internal use (just to get 2.1 up and
running in our... strange... environment).  We do have a fair dinkum
certificate for our e-trading, but it made little sense to buy one for
each of our internal LDAP servers.

-- 
Dave Horsfall  DTM  VK2KFU  daveh@ci.com.au  Ph: +61 2 9906-7866  Fx: 9906-1556
Corinthian Engineering, Level 1, 401 Pacific Hwy, Artarmon, NSW 2064, Australia