Bug 1679 – Unified support for emailAddress in grid-mapfile

Bug 1679 - Unified support for emailAddress in grid-mapfile

Summary:

Unified support for emailAddress in grid-mapfile

Status:	RESOLVED FIXED

Product:	GSI C
Component:	Credentials and Proxies
Version:	unspecified
Platform:	All All

Importance:	P2 major
Target Milestone:	---
Assigned To:	Rachana Ananthakrishnan

URL:
Keywords:	C/Java

Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2004-03-31 12:23 by Olle Mulmo
Modified:	2008-08-12 13:32 (History)

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note

You need to log in before you can comment on or make changes to this bug.

Description From Olle Mulmo 2004-03-31 12:23:04

I don't find the following answer given on the discuss list to be acceptable. 
The middleware (that is, us) should hide any anomalies in the toolkits on 
which we depend.

BTW, I recommend emailAddress= throughout.

/Olle

-----Original Message-----
From: Samuel Meder
Sent: Wednesday, March 31, 2004 16:53
To: Masahiro Ito
Cc: discuss@globus.org
Subject: Re: [Globus-discuss] User certificate subject (DN)
withEmailAddress


On Wed, 2004-03-31 at 06:11, Masahiro Ito wrote:
> Hi all,
> 
> I have a touble with the user certificates that contain EmailAddress in the
> subject.
> 
> If my user certificate's subject is
> "/C=JP/O=myhome/CN=Masahiro ITO/Email=itou_masahiro2002@ybb.ne.jp",
> I must describe DN in grid-mapfile as following (otherwise the operations
> will be failure):
> 
> (1) To use WS in GT3.0.2 and GT3.2beta
> "/C=JP/O=myhome/CN=Masahiro ITO/E=itou_masahiro2002@ybb.ne.jp"  masahiro
> 
> (2) To use pre-WS in GT3.0.2
> "/C=JP/O=myhome/CN=Masahiro ITO/Email=itou_masahiro2002@ybb.ne.jp"  masahiro
> 
> (3) To use pre-WS in GT3.2beta
> "/C=JP/O=myhome/CN=Masahiro ITO/emailAddress=itou_masahiro2002@ybb.ne.jp"
> masahiro
> 
> I found openssl-0.9.6 displays "Email=" and openssl-0.9.7 displays
> "emailAddress=".
> ( $ openssl x509 -subject -in certfile )
> But I don't know about "E=".
> 
> I have to use and switch three types of grid-mapfile now.
> But I'd like to use only one grid-mapfile. How to describe such DNs?
> Or shouldn't I use email-address in the certificate subject?

It's somewhat unfortunate. Adding all three entries to the same
grid-mapfile should work, so you will still only have to have one
grid-mapfile.

/Sam

------- Comment #1 From Sam Meder 2005-02-18 16:33:54 -------

*** Bug 2766 has been marked as a duplicate of this bug. ***

------- Comment #2 From Sam Meder 2005-04-05 10:18:41 -------

A work around has been committed to the C code. 

/Sam

------- Comment #3 From Rachana Ananthakrishnan 2005-04-06 16:46:08 -------

Work around committed for Java code.

------- Comment #4 From Sam Meder 2005-04-07 13:34:59 -------

To elaborate a little: We now canonicalize DNs before comparison

* E= and Email= are changed to emailAddress=
* UID= is changed to USERID=
* all comparisons are done using non-case sensitive string matching

/Sam

------- Comment #5 From Keith Thompson 2005-04-07 19:31:55 -------

> * E= and Email= are changed to emailAddress=
> * UID= is changed to USERID=
> * all comparisons are done using non-case sensitive string matching

Note that USERID is the old form (GT2) and UID is the new form (GT3, GT4,
OpenSSL 0.9.7).  It would be more consistent to change USERID= to UID=.
(If this is just internal, it probably doesn't matter much.)

I've never seen "E=".

I'm not certain that doing a case insensitive match is necessary, or even a
good idea.

Note that gx-map, <http://users.sdsc.edu/~kst/gx-map/>, automatically
maintains grid-mapfiles and signing_policy files (as well as CA certificates
and CRLs), and handles the USERID vs. UID and Email vs. emailAddress stuff
more or less transparently.