Eliot Lear <lear=40cisco....@dmarc.ietf.org> wrote: > > - CAs MUST populate a SAN. > - Verifiers MUST use a SAN if present. > - Verifiers MUST reject certificates without a SAN by default. > - Verifiers MAY be configured to accept certificates without SANs when > very long lived certificates are expected to be encountered. > > Some certificates identify a subject where a GeneralName is the accepted way of naming the subject. For example, end-user smart card certificates used for client authentication. For such certificates, even V1 certificates without any extensions, and in particular without any subjectAltName extension, are reasonable.
I would very much like to stick to the original idea I proposed back before the initial draft: Let's just rewrite RFC 6125 to remove the concept of CN-ID, and call it a day. Don't put any requirements on producers of certificates. They can put whatever they want into the Common Name field and it will be ignored by conformant (to the new spec) validators. Cheers, Brian
_______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
