On Tue, Dec 15, 2015 at 10:08 AM, Kim Alvefur <[email protected]> wrote: > On 2015-12-15 15:55, Phillip Hallam-Baker wrote: > > On Tue, Dec 15, 2015 at 9:39 AM, Salz, Rich <[email protected]> wrote: > > > >> > >>> There's SRVName from https://tools.ietf.org/html/rfc4985 which in > theory > >>> already can be applied to https already. SRVNames are used in the XMPP > >>> world a lot, maybe other places as well. > >> > >> But you can't put a SRVName in a certificate SAN field, can you? > > > > > > Actually you can. The SRV label is simply a DNS name. That is arguably > the > > only way that you can legitimately create service specific certs in the > > WebPKI. > > Almost, but SRVname has its own OID, so it's not the same as a DNSName. > But they live among the other SAN fields. >
Its worth re-reading the RFC. https://www.ietf.org/rfc/rfc4985.txt The reason for introducing a separate OID seems to have been wanting to drop the protocol component which simplifies things a lot for name constraints.
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
