Bug 1679 - Unified support for emailAddress in grid-mapfile
: Unified support for emailAddress in grid-mapfile
Status: RESOLVED FIXED
: GSI C
Credentials and Proxies
: unspecified
: All All
: P2 major
: ---
Assigned To:
:
: C/Java
:
:
  Show dependency treegraph
 
Reported: 2004-03-31 12:23 by
Modified: 2008-08-12 13:32 (History)


Attachments


Note

You need to log in before you can comment on or make changes to this bug.


Description From 2004-03-31 12:23:04
I don't find the following answer given on the discuss list to be acceptable. 
The middleware (that is, us) should hide any anomalies in the toolkits on 
which we depend.

BTW, I recommend emailAddress= throughout.

/Olle

-----Original Message-----
From: Samuel Meder
Sent: Wednesday, March 31, 2004 16:53
To: Masahiro Ito
Cc: discuss@globus.org
Subject: Re: [Globus-discuss] User certificate subject (DN)
withEmailAddress


On Wed, 2004-03-31 at 06:11, Masahiro Ito wrote:
> Hi all,
> 
> I have a touble with the user certificates that contain EmailAddress in the
> subject.
> 
> If my user certificate's subject is
> "/C=JP/O=myhome/CN=Masahiro ITO/Email=itou_masahiro2002@ybb.ne.jp",
> I must describe DN in grid-mapfile as following (otherwise the operations
> will be failure):
> 
> (1) To use WS in GT3.0.2 and GT3.2beta
> "/C=JP/O=myhome/CN=Masahiro ITO/E=itou_masahiro2002@ybb.ne.jp"  masahiro
> 
> (2) To use pre-WS in GT3.0.2
> "/C=JP/O=myhome/CN=Masahiro ITO/Email=itou_masahiro2002@ybb.ne.jp"  masahiro
> 
> (3) To use pre-WS in GT3.2beta
> "/C=JP/O=myhome/CN=Masahiro ITO/emailAddress=itou_masahiro2002@ybb.ne.jp"
> masahiro
> 
> I found openssl-0.9.6 displays "Email=" and openssl-0.9.7 displays
> "emailAddress=".
> ( $ openssl x509 -subject -in certfile )
> But I don't know about "E=".
> 
> I have to use and switch three types of grid-mapfile now.
> But I'd like to use only one grid-mapfile. How to describe such DNs?
> Or shouldn't I use email-address in the certificate subject?

It's somewhat unfortunate. Adding all three entries to the same
grid-mapfile should work, so you will still only have to have one
grid-mapfile.

/Sam
------- Comment #1 From 2005-02-18 16:33:54 -------
*** Bug 2766 has been marked as a duplicate of this bug. ***
------- Comment #2 From 2005-04-05 10:18:41 -------
A work around has been committed to the C code. 

/Sam
------- Comment #3 From 2005-04-06 16:46:08 -------
Work around committed for Java code.
------- Comment #4 From 2005-04-07 13:34:59 -------
To elaborate a little: We now canonicalize DNs before comparison

* E= and Email= are changed to emailAddress=
* UID= is changed to USERID=
* all comparisons are done using non-case sensitive string matching

/Sam
------- Comment #5 From 2005-04-07 19:31:55 -------
> * E= and Email= are changed to emailAddress=
> * UID= is changed to USERID=
> * all comparisons are done using non-case sensitive string matching

Note that USERID is the old form (GT2) and UID is the new form (GT3, GT4,
OpenSSL 0.9.7).  It would be more consistent to change USERID= to UID=.
(If this is just internal, it probably doesn't matter much.)

I've never seen "E=".

I'm not certain that doing a case insensitive match is necessary, or even a
good idea.

Note that gx-map, <http://users.sdsc.edu/~kst/gx-map/>, automatically
maintains grid-mapfiles and signing_policy files (as well as CA certificates
and CRLs), and handles the USERID vs. UID and Email vs. emailAddress stuff
more or less transparently.