I’m probably joining in the middle of this conversation, but please be
patient with me:
On 19 Apr 2021, at 10:48, Eliot Lear wrote:
Hi Rich,
A few of us just had this discussion in another context. Try this:
CAs MUST populate a SAN.
Verifiers MUST use a SAN if present.
Verifiers MUST reject certificates without a SAN by default.
I don’t understand what “by default” means here; it seems to
conflict with the MUST. Of course using CN to indicate the subject of
the certificate hasn’t been good practice for 10 years or so, but this
requirement seems to run counter to the principle of being liberal in
what you accept (with the obvious exception of things that create a
security problem, but I don’t think that is the case here). What is
the problem that this requirement is solving, other than eliminating a
few lines in certificate verification code?
Verifiers MAY be configured to accept certificates without SANs when
very long lived certificates are expected to be encountered.
This must be the exception to the previous bullet. But I would expect
the requirement to be based on the issue date of the certificate, not
its lifetime. How does a verifier know in advance what to expect?
Are CAs issuing certificates with freeform text in their CN fields, is
that the problem?
-Jim
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
