UID in subj args - bug?

Viktor Dukhovni openssl-users at dukhovni.org
Fri Jul 7 04:29:38 UTC 2023

On Thu, Jul 06, 2023 at 07:45:09PM -0400, Robert Moskowitz wrote:

> > Welcome to the world of X.509 where anything goes, and nobody knows
> > what's going on...
> Well perhaps at IETF117 I can corner someones that can point me to the clue.

There isn't much clue to be had.  There's no definitive list of possible
RDN OIDs.  Each new application or even organisation with an OID arc
can define some new attribute (perhaps in their LDAP schema) and
choose to employ it in their directory names.

When I said "anything goes", I meant what I said.

> For now it seems that you put something into the policy section.  If it 
> does not throw an error, you are good.
> or good enough.

You can literally put any OID in the policy section.  Then RDNs with
that OID will be treated per the policy (match, supplied or optional).

    oid_section = new_oids
    [ new_oids ]
    prime_rib =
    [ policy_match ]
    prime_rib = supplied

To be used in a PKI for the meat packing industry...


More information about the openssl-users mailing list