[Python-Dev] frozenset C API?
Bill Janssen
janssen at parc.com
Thu Sep 6 19:15:41 CEST 2007
> RFC 2818
>
> """If a subjectAltName extension of type dNSName is present, that MUST
> be used as the identity. Otherwise, the (most specific) Common Name
> field in the Subject field of the certificate MUST be used. Although
> the use of the Common Name is existing practice, it is deprecated and
> Certification Authorities are encouraged to use the dNSName instead.
> """
Yes, subjectAltName is a big one. But I think it may be the only
extension I'll expose. The issue is that I don't see a generic way
of mapping extension X into Python data structure Y; each one needs to
be handled specially. If you can see a way around this, please speak
up!
> I really don't understand why you would not expose all data in the
> certificate. It seems totally obvious. The data is there for a reason.
> I want the subjectAltName. Probably other people want other stuff. Why
> cripple it? Please include it all.
I intend to "include it all", by giving you a way to pull the full DER
form of the certificate into Python. But a number of fields in the
certificate have nothing to do with authorization, like the signature,
which has already been used for validation. So I don't intend to try
to convert them into Python-friendly forms. Applications which want to
use that information already need to have a more powerful library, like
M2Crypto or PyOpenSSL, available; they can simply work with the DER form
of the certificate.
Bill
More information about the Python-Dev
mailing list