Hi Bob > 1) the user has multiple certs with the same subject, but some certs map > to different roles (evil IMHO).
But you can find this constellation in many "business" PKI. The identity of an user (his name or employee number) is taken as the cn= to match the local directory structure (eG. company LDAP or ADS). But for security reasons you need multiple keypairs and therefore also multiple certificates. You must be sure, that his secret signing key is only on his smartcard, so you generate this keypair on the card. For the encryption keypair you must be sure to have a backup otherwise the lost or damage of the smartcard results in data loss. That's why often users have two different certificates (encryption and signing/authentication) with the same subject in the certificates. It's the job of the applications to select the right certificate according to the keyUsage (and extendedKeyUsage). So IMHO this is not "evil" ;-) > I think resolving this will take some thought so we don't break existing > applications (perhaps adding a new friendly name parallel with out > nickname which can be different even if the subject is the same). I think it might be best to set the CKA_LABEL of every imported certificate to the friendlyName of the PKCS#12 container. If the friendlyName is not set, the CommonName should be the right choice. Regards Ulf -- Ulf Leichsenring [EMAIL PROTECTED] _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
