Alexey Melnikov <aamelni...@fastmail.fm> wrote:
>> > o In the language of [RFC6125] this provides for a SERIALNUM-ID >
>> category of identifier that can be included in a certificate and >
>> therefore that can also be used for matching purposes. The >
>> SERIALNUM-ID whitelist is collated according to manufacturer trust >
>> anchor since serial numbers are not globally unique.
> This is actually not helping. I was looking for something like:
> DNS-ID = a subjectAltName entry of type dNSName
> Basically I was asking for a definition of SERIALNUM-ID somewhere.
It's a (subject)DN of serial number=123456, not a subjectAltName.
(not the CertificateSerialNumber)
It's X.520.. via 802.1AR and RFC5280 section 4.1.2.4.
https://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-X.520-201610-I!!PDF-E&type=items
section 6.2.9.
o Client authentication is automated using Initial Device Identity
(IDevID) as per the EST certificate based client authentication.
The subject field's DN encoding MUST include the "serialNumber"
- attribute with the device's unique serial number.
+ attribute with the device's unique serial number as explained in
+ Section 2.3.1
- o This extends the informal set of "identifer type" values defined
- in [RFC6125] to include a SERIALNUM-ID category of identifier that
- can be included in a certificate and therefore that can also be
- used for matching purposes. As noted in that document this is not
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] m...@sandelman.ca http://www.sandelman.ca/ | ruby on rails [
signature.asc
Description: PGP signature
_______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima
