Thanks, Brian. I appreciate your patience. The below totally works for me.
Eliot > On 22 Apr 2021, at 18:58, Brian Smith <br...@briansmith.org> wrote: > > Eliot Lear <l...@cisco.com <mailto:l...@cisco.com>> wrote: > Actually, according to 802.1AR-2009, the subject MUST contain requires a DN > with serial number, and it may contain a SAN (e.g., don’t count on it). > That’s the major concern. To me, the rest is really negotiable. > > OK, great. I don't think what Rich or what I'm proposing is in conflict with > that at all. > > The idea here is to tell certificate verifiers (relying parties): > * If you're looking for a DNS name in a certificate, only look in the > subjectAltName, Don't look in the Subject Common Name. > * If you're looking for an IP address in a certificate, only look in the > subjectAltName, Don't look in the Subject Common Name. > > That's it. > > In the case of 802.1AR-2009, the verifier is to look for a distinguished > name (either the Subject or a directoryName subjectAltName), not a DNS name > or an IP address, so the proposed guidance wouldn't apply. > > Note that RFC 6125 punted in IP addresses because they weren't commonly used > in certificates in the working groups' judgement at the time, but now I think > it is clear that an update to RFC 6125 should address IP addresses too. > > Cheers, > Brian
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
