On Mar 22, 2008, at 4:44 AM, David Chadwick wrote:
if you have followed a lot of the (old) discussions on the PKIX list about DN matching in certificates, you will see that a lot of PKI software vendors do plain string matching of DNs, rather than proper X.500/LDAP DN matching rules, so dont believe that passing certs instead of DNs will solve this problem. It wont. Only proper DN matching software will solve this, so it is irrelevant whether the DN is passed as a string or in a cert.
David et al., With respect to the point above, thought you might be interested in the following link. Topic: PathFinder is designed to provide a mechanism for any program to perform RFC3280-compliant path validation of X509 certificates, even when some of the intermediate certificates are not present on the local machine. By design, Pathfinder automatically downloads any such certificates (and their CRLs) from the Internet as needed using the AIA and CRL distribution point extensions of the certificates it is processing. Link: http://code.google.com/p/pathfinder-pki/ Alan Alan Sill, Ph.D TIGRE Senior Scientist, High Performance Computing Center Adjunct Professor of Physics TTU ==================================================================== : Alan Sill, Texas Tech University Office: Admin 233, MS 4-1167 : : e-mail: Alan.Sill@ttu.edu ph. 806-742-4350 fax 806-742-4358 : ====================================================================