I am beginning to think that doing a complete re-issue of 6125 will be better, because trying to fit the “patch” described below seems awkward. On the other hand, if anyone has suggestions on how to do that, please post or email or make a PR at https://github.com/richsalz/draft-rsalz-use-san
From: Eliot Lear <l...@cisco.com> Date: Thursday, April 22, 2021 at 1:03 PM To: Brian Smith <br...@briansmith.org> Cc: Rich Salz <rs...@akamai.com>, Jim Fenton <fen...@bluepopcorn.net>, "uta@ietf.org" <uta@ietf.org>, <iot...@ietf.org> Subject: Re: [Uta] How should we change draft-ietf-use-san? Thanks, Brian. I appreciate your patience. The below totally works for me. Eliot On 22 Apr 2021, at 18:58, Brian Smith <br...@briansmith.org<mailto:br...@briansmith.org>> wrote: Eliot Lear <l...@cisco.com<mailto:l...@cisco.com>> wrote: Actually, according to 802.1AR-2009, the subject MUST contain requires a DN with serial number, and it may contain a SAN (e.g., don’t count on it). That’s the major concern. To me, the rest is really negotiable. OK, great. I don't think what Rich or what I'm proposing is in conflict with that at all. The idea here is to tell certificate verifiers (relying parties): * If you're looking for a DNS name in a certificate, only look in the subjectAltName, Don't look in the Subject Common Name. * If you're looking for an IP address in a certificate, only look in the subjectAltName, Don't look in the Subject Common Name. That's it. In the case of 802.1AR-2009, the verifier is to look for a distinguished name (either the Subject or a directoryName subjectAltName), not a DNS name or an IP address, so the proposed guidance wouldn't apply. Note that RFC 6125 punted in IP addresses because they weren't commonly used in certificates in the working groups' judgement at the time, but now I think it is clear that an update to RFC 6125 should address IP addresses too. Cheers, Brian
_______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
