[Modules] [monkeysphere] mod_gnutls/libmsv
Clint Adams
clint at debian.org
Thu May 5 16:46:02 EDT 2011
On Thu, May 05, 2011 at 03:32:34PM -0400, Daniel Kahn Gillmor wrote:
> Is it really forbidden? I'm pretty sure i have X.509 certificates with
> an emailAddress in them. For example, take a look at
>
> /etc/ssl/certs/spi-cacert-2008.pem
Perhaps not, but /usr/include/gnutls/x509.h contains
/* The following should not be included in DN.
*/
#define GNUTLS_OID_PKCS9_EMAIL "1.2.840.113549.1.9.1"
> Have you looked at the structure and contents of an S/MIME e-mail
> signing X.509 certificate issued by one of the members of the CA cartel?
I have not.
> As i read the docs [0], this will only return otherName members of the
> subjectAltName field, so you won't get anything for, say, dNSName
> members of the subjectAltName [1]. And i don't see any guarantee that
> additional otherName designees will not get defined by future versions
> of gnutls; but maybe we should raise this question on the gnutls
> development list.
I'm not sure this is a problem; either the SAN holds a peername
which matches a OpenPGP uid associated with the pkcdata, or it
doesn't. If the issue is X.509 certs generated by someone else,
then of course having GnuTLS, mod_gnutls, and Monkeysphere
all able to understand the same field would be helpful.
More information about the Modules
mailing list