* It actually looks pretty good to me. The only thing I disagree with is "Severs either MUST NOT issue a CN-ID, or MUST use a form for the Common Name RDN that cannot be mistaken for an identifier" and similar language. It would be better to let people put whatever they want in the CN field of the subject whether or not it looks like a domain name. As long as conformant clients stop using the CN as a dNSName/iPAddress SAN alternative, then it doesn't matter what's in the CN. Probably some users will need to duplicate what's in the SAN in the subject CN for backward compatibility with nonconformant verifiers.
That’s a good point. If the doc focuses purely on client behavior then that makes it easier for legacy, such as Elliot’s vehicle issue, and also makes it more clear about the wildcards.
_______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
