On Thu, Feb 11, 2021 at 12:00:10PM -0800, uta-requ...@ietf.org wrote: [...] > 3. Requirements on cert naming > > RFC 7925 Sec. 4.4.2 says: > > For client certificates, the identifier used in the SubjectAltName or > in the leftmost CN component of subject name MUST be an EUI-64. > > This looks problematic as it's at the same time too rigid - the MUST > doesn't permit deviation - and too loose, glossing over the details of > how the EUI-64 is actually encoded. > > When used in the CN, i.e., as printable string, it looks like it's > sensible to assume that the IEEE guidelines for EUI-64 apply (the usual > "01-23-...-cd-ef" or "0123...cdef"), and that might be the case for the > SAN as well, stuffing it into a dNSName. > > Does that sound reasonable? Are you aware of any other practice?
Mention of CN stuck out to me -- the trend seems to be towards just not using CN at all -- see the secdispatch request for a draft at https://mailarchive.ietf.org/arch/msg/secdispatch/TAk5H3u_5C_JehUB7EKAnfegxj0/ -Ben _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
