Achim Kraus <achimkr...@gmx.net> wrote:
> I may fail to understandiung your question or intention. Maybe you
> clarify it.
> Your initial question in "draft-tls13-iot" was:
> "I was looking for a SN, or SAN that would encode EUI64, and I feel
> surprised not to find one."
> But, if you like to encode a EUI64 direct in x509 SN or SAN without
> "translation", then I would guess, this is a question for RFC 5280 [1]
> (and updates) and not for "draft-tls13-iot".
Updating RFC5280 would be fantastic, but not that easy.
the SAN otherName mechanism lets one add new entities, using an OID. This is
the lowest friction way to introduce new identifiers. We did this in
RFC8994 for instance.
The problem is that, having done this, can we use the result in SNI?
The answer is mostly no. That's why there was some push to do something SNI
compatible, which means it has to look like a dNSName.
> So, please: Is it about direct EUI64 support in x509? Or about omit
> EUI64 in device certificates?
This is about what SNI supports vs what X509 supports.
--
Michael Richardson <mcr+i...@sandelman.ca> . o O ( IPv6 IøT consulting )
Sandelman Software Works Inc, Ottawa and Worldwide
signature.asc
Description: PGP signature
_______________________________________________ Uta mailing list -- uta@ietf.org To unsubscribe send an email to uta-le...@ietf.org
