gpgsm and mail address

Fri Mar 7 06:29:46 CET 2008

Hello,

I just subscribed this ML to report a difficulty I faced recently when
using gpgsm for S/MIME.

One of my co-workers has a certificate which doesn't contains
subjectAltName extension ("aka"), but does contain PKCS #9
emailAddress attribute in the DN.

gpgsm -kv shows the certificate like this (name and address masked):

           ID: 0x42E8F696
          S/N: 388E8742292DF9E49B236F1C50FC303D
       Issuer: /CN=S\x2fMIME for UPKI Project/OU=Class 1 OnSite Individual Subscriber CA/OU=Terms of use at https:\x2f\x2fwww.verisign.co.jp\x2frpa (c)06/OU=VeriSign Trust Network/O=National Institute of Informatics
      Subject: /CN=(His name)/OU=Terms of use at www.verisign.co.jp\x2frpa (c)06/OU=S\x2fMIME for UPKI Project/O=National Institute of Informatics/EMail=(his email address)
     validity: 2007-07-03 00:00:00 through 2008-07-02 23:59:59
     key type: 1024 bit RSA
     policies: 2.16.840.1.113733.1.7.23.1:N:
  fingerprint: 03:8D:C5:66:87:66:5C:FE:46:70:E0:D3:AC:7C:B3:66:42:E8:F6:96

It seems that gpgsm doesn't recognize DN's EMail attribute as an email
address, so I cannot specify his certificate by his email address.
"gpgsm -kv <his email address>" returns nothing.

Here is an excerpt from RFC3850:

                                        Receiving agents MUST recognize
   email addresses in the subjectAltName field.  Receiving agents MUST
   recognize email addresses in the Distinguished Name field in the PKCS
   #9 [PKCS9] emailAddress attribute:

   pkcs-9-at-emailAddress OBJECT IDENTIFIER ::=
     {iso(1) member-body(2) us(840) rsadsi(113549) pkcs(1) pkcs-9(9) 1 }

   Note that this attribute MUST be encoded as IA5String.

So I think it should be possible to use an email address in PKCS #9
emailAdderss attribute to specify his certificate.

I'm using gpgsm (GnuPG) 2.0.8.

Regards,
-- 
Yoshiaki Kasahara
Research Institute for Information Technology, Kyushu University
kasahara at nc.kyushu-u.ac.jp