Alexey Melnikov <[email protected]> wrote: >> > o In the language of [RFC6125] this provides for a SERIALNUM-ID > >> category of identifier that can be included in a certificate and > >> therefore that can also be used for matching purposes. The > >> SERIALNUM-ID whitelist is collated according to manufacturer trust > >> anchor since serial numbers are not globally unique.
> This is actually not helping. I was looking for something like:
> DNS-ID = a subjectAltName entry of type dNSName
> Basically I was asking for a definition of SERIALNUM-ID somewhere.
It's a (subject)DN of serial number=123456, not a subjectAltName.
(not the CertificateSerialNumber)
It's X.520.. via 802.1AR and RFC5280 section 4.1.2.4.
https://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-X.520-201610-I!!PDF-E&type=items
section 6.2.9.
o Client authentication is automated using Initial Device Identity
(IDevID) as per the EST certificate based client authentication.
The subject field's DN encoding MUST include the "serialNumber"
- attribute with the device's unique serial number.
+ attribute with the device's unique serial number as explained in
+ Section 2.3.1
- o This extends the informal set of "identifer type" values defined
- in [RFC6125] to include a SERIALNUM-ID category of identifier that
- can be included in a certificate and therefore that can also be
- used for matching purposes. As noted in that document this is not
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] [email protected] http://www.sandelman.ca/ | ruby on rails [
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
