We are dealing with 10s of CAs and thousands of certificates.<br><br>We have been using serialized DNs for years in ActiveMQ and we didn't have problems.<br>Usually we get the DN and we just add it to the configuration. The update of DN usually is not<br>
an operation which cause us troubles.<br><br>Regards,<br>---<br>Massimo Paladin<br><br>email: <a href="mailto:massimo.paladin@gmail.com">massimo.paladin@gmail.com</a><br>website: <a href="http://www.mpaladin.com">http://www.mpaladin.com</a><br>
flickr's page: <a href="http://flickr.com/photos/massimop">http://flickr.com/photos/massimop</a><br><br><br><br>On Tue, Jul 12, 2011 at 5:42 PM, Simon MacMullen <<a href="mailto:simon@rabbitmq.com">simon@rabbitmq.com</a>> wrote:<br>
> On 12/07/11 16:33, Massimo Paladin wrote:<br>>><br>>> Will this take part of the next release?<br>><br>> I doubt it, nothing has been done.<br>><br>> This is something Matthias and I have been arguing about for ages. I suspect<br>
> that even though just RFC 4514-serialising the DN and doing string matching<br>> is completely wrong in theory, in practice it would be what a decent number<br>> of users would want. Matthias thinks that it will lead into a tarpit of bugs<br>
> around DN equivalence. And I have to admit that he has much more real world<br>> experience dealing with stupid SSL / x509 behaviour than I do!<br>><br>> But neither of us really know. Hearing from people like you who want this<br>
> would be helpful:<br>><br>> * If you have many CAs, is that just a bunch of internal sysadmins running<br>> Openssl or real-world CAs?<br>><br>> * If you had to update usernames when a user had a new certificate and the<br>
> DN format changed for some daft reason, how big a deal would that be?<br>><br>> etc etc...<br>><br>> Cheers, Simon<br>><br>> --<br>> Simon MacMullen<br>> RabbitMQ, VMware<br>><br><br>