On 05/15/2010 02:41 PM, From Subrata Mazumdar:
Hi,
Hi Subrata,
I can answer you some of the questions below.
Can I add more than one e-mail addresses as subjAltName extionsion in
X.509 cert?
Yes, certainly.
Since, value type of subjAltName is GeneralNames, I know I am allowed
to do that syntactically.
My questions are :
- Does this fall within the best practices for X.509 based PKI?
Yes, absolutely.
- Are the NSS APIs designed to handle more than one e-mail address
in subjAlName extension?
To all of my knowledge, this is the case.
- Do other applications (like thunderbird and other mail), would
make sure that they search through all the e-mail addresses to look
for a match?
Yes, this appears to be the case.
- Would a commercial CAs sign a cert request with more than e-mail
address?
That probably depends a lot on the CA. The one I'm responsible for
(StartCom/StartSSL), supports multiple email addresses in the validated
levels (Class 2 and higher), though you have to use the certificates
wizards to add the email addresses and you can't submit a CSR (the key
is generated at the client side though).
Hope this helps.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: start...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
