[openssl-users] How many SAN entries...?

Blumenthal, Uri - 0553 - MITLL uri at ll.mit.edu
Thu Apr 27 14:08:17 UTC 2017

You do not "revoke" a subset of attributes aka SAN emails. When any of the certified attributes changes (i.e., is certification no longer valid), the certificate is revoked and (possibly) re-issued. The process is no different than with any other set of attributes, several of which may be owned/controlled by different organizations.


Sent from my iPhone

> On Apr 27, 2017, at 09:41, Jochen Bern <Jochen.Bern at binect.de> wrote:
> On 04/26/2017 07:13 PM, Viktor Dukhovni was digested as writing:
>> On Apr 26, 2017, at 1:03 PM, Blumenthal, Uri - 0553 - MITLL <uri at ll.mit.edu> wrote:
>>> It?s been my understanding that a cert can contain as many SAN attributes as needed,
>>> but it appears that Apple believes it has to be only one (because certificates with
>>> more than one are not processed properly).
>> Perhaps CAs have rarely issued email certificates with multiple email addresses. 
> The mechanics of verifying - or, if necessary, revoking - every single
> one should be ... interesting. Unless, maybe, it's a boatload of
> ("typo"?) aliases from the same organization.
> [Remembers manually splitting others' PGP pubkeys into single-user-ID
> ones after signing parties so as to send every freshly-signed ID only to
> the *one* address stated in it]
> Regards,
> -- 
> Jochen Bern
> Systemingenieur
> Fon:    +49 6151 9067-231
> Fax:    +49 6151 9067-290
> E-Mail: jochen.bern at binect.de
> www.binect.de
> www.facebook.de/binect
> Binect ist ausgezeichnet:
> Sieger INNOVATIONSPREIS-IT 2017 | Das Büro: Top 100 Büroprodukte 2017
> Binect GmbH
> Robert-Koch-Straße 9, 64331 Weiterstadt, DE
> Geschäftsführung: Christian Ladner, Dr. Frank Wermeyer, Nils Manegold
> Unternehmenssitz: Weiterstadt
> Register:         Amtsgericht Darmstadt, HRB 94685
> Umsatzsteuer-ID:  DE 221 302 264
> MAX 21-Unternehmensgruppe
>> Diese E-Mail kann vertrauliche Informationen enthalten. Wenn Sie nicht
> der richtige Adressat sind oder diese E-Mail irrtümlich erhalten haben,
> informieren Sie bitte sofort den Absender und vernichten Sie diese
> E-Mail. Das unerlaubte Kopieren, sowie die unbefugte Weitergabe dieser
> Mail oder von Teilen dieser Mail ist nicht gestattet. Jede von der
> Binect GmbH versendete Mail ist sorgfältig erstellt worden, dennoch
> schließen wir die rechtliche Verbindlichkeit aus; sie kann nicht zu
> einer irgendwie gearteten Verpflichtung zu Lasten der Binect GmbH
> ausgelegt werden. Wir haben alle verkehrsüblichen Maßnahmen unternommen,
> um das Risiko der Verbreitung virenbefallener Software oder E-Mails zu
> minimieren, dennoch raten wir Ihnen, Ihre eigenen Virenkontrollen auf
> alle Anhänge an dieser Nachricht durchzuführen.
> Wir schließen, außer für den Fall von Vorsatz oder grober
> Fahrlässigkeit, die Haftung für jeglichen Verlust oder Schäden durch
> virenbefallene Software oder E-Mail aus.
> This e-mail may contain confidential and/or privileged information. If
> you are not the intended recipient (or have received this e-mail in
> error) please notify the sender immediately and destroy this e-mail. Any
> unauthorized copying, disclosure or distribution of contents of this
> e-mail is strictly prohibited. All Binect GmbH emails are created
> thoroughly, nevertheless we do not accept any legal obligation for the
> information and wording contained herein. Binect GmbH has taken
> precautionary measures to reduce the risk of possible distribution of
> virus infected software or emails. However, we advise you to check
> attachments to this email for viruses. Except for cases of intent or
> gross negligence, we cannot accept any legal obligation for loss or
> damage by virus infected software.
> -- 
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4223 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20170427/83a34ab9/attachment-0001.bin>

More information about the openssl-users mailing list