On Mon, Mar 15, 2021 at 10:58:56AM +0100, Eliot Lear wrote: > By way of example, IEEE 802.1AR allows for the use of the subject, and > some of those certs are extremely long lived. One thing we should do > is liaise this draft to the 802.1 committee so that they can prepare > their base, and get their feedback about how to roll out this change. > > For libraries like OpenSSL I wouldn’t mind throwing in a new flag, for > instance, that would be required to validate a cert based on the > subject. That would help these other uses get over the hump over > time; perhaps even with a warning of some form emitted.
Easy fix IF we really need it: - relying parties MUST reject old-style certificates issued after some appropriate future date TBD - relying parties MAY continue to accept old-style certificates issued before some appropriate future date TBD - after some appropriate future date TBD, relying parties MAY reject old-style certificates issued before that date - after some later appropriate future date TBD, relying parties SHOULD reject old-style certificates issued before that date As Watson noted, one should be able to get old-style certificates re-issued with dNSName SANs and empty DNs. Some long-lived certificates can't be replaced easily (e.g., EKcerts), but generally those can't have any kind of hostname name because such names cannot possibly be known at issuance time or because it's not appropriate for the issuer to assert them. Conversely, devices not using such hard-to-roll certs must be possible to fix, so we can have a drop-dead date even for certificates issued before that date. Nico -- _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
