[kmf-discuss] signing/verifying certificates with pktool(1)
Massimiliano Pala
pala at cs.dartmouth.edu
Tue Jan 8 12:13:56 PST 2008
Wyllys Ingersoll wrote:
[...]
> I don't follow. Why would the CA override the requestor's subject name
> or SubjectAltName
> or any of those fields in the CSR. If they don't match the policies of
> the CA, it can reject
> the signing request altogether, but I don't think it would be
> appropriate for the signing
> agent to change the request without the requestors consent.
>
> The "lifetime" parameters are not part of a CSR and are always set by
> the CA.
> keyusage, subject name, and other extensions are set by the requestor.
In my experience you should not trust any extensions in the CSR... as most
of the times these are *wrong*. It is common practice in CA software to
simply ignore them and have the RA/CA (especially at RA level) to set them
correctly - also the subject DN should be 'override-able'... this would
allow to issue the certificate with the correct fields without having the
client to make another request (and eventually generate a new keypair).
Later,
Max
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 3088 bytes
Desc: S/MIME Cryptographic Signature
Url : http://mail.opensolaris.org/pipermail/kmf-discuss/attachments/20080108/04ee0b8b/attachment.bin
More information about the kmf-discuss
mailing list