Alexey Melnikov <aamelni...@fastmail.fm> wrote: >> > o In the language of [RFC6125] this provides for a SERIALNUM-ID > >> category of identifier that can be included in a certificate and > >> therefore that can also be used for matching purposes. The > >> SERIALNUM-ID whitelist is collated according to manufacturer trust > >> anchor since serial numbers are not globally unique.
> This is actually not helping. I was looking for something like: > DNS-ID = a subjectAltName entry of type dNSName > Basically I was asking for a definition of SERIALNUM-ID somewhere. It's a (subject)DN of serial number=123456, not a subjectAltName. (not the CertificateSerialNumber) It's X.520.. via 802.1AR and RFC5280 section 4.1.2.4. https://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-X.520-201610-I!!PDF-E&type=items section 6.2.9. o Client authentication is automated using Initial Device Identity (IDevID) as per the EST certificate based client authentication. The subject field's DN encoding MUST include the "serialNumber" - attribute with the device's unique serial number. + attribute with the device's unique serial number as explained in + Section 2.3.1 - o This extends the informal set of "identifer type" values defined - in [RFC6125] to include a SERIALNUM-ID category of identifier that - can be included in a certificate and therefore that can also be - used for matching purposes. As noted in that document this is not -- ] Never tell me the odds! | ipv6 mesh networks [ ] Michael Richardson, Sandelman Software Works | IoT architect [ ] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima