On Fri, Jul 19, 2019, at 12:30 AM, Michael Richardson wrote: > > Alexey Melnikov <aamelni...@fastmail.fm> wrote: > >> > o In the language of [RFC6125] this provides for a SERIALNUM-ID > > >> category of identifier that can be included in a certificate and > > >> therefore that can also be used for matching purposes. The > > >> SERIALNUM-ID whitelist is collated according to manufacturer trust > > >> anchor since serial numbers are not globally unique. > > > This is actually not helping. I was looking for something like: > > > DNS-ID = a subjectAltName entry of type dNSName > > > Basically I was asking for a definition of SERIALNUM-ID somewhere. > > It's a (subject)DN of serial number=123456, not a subjectAltName. > (not the CertificateSerialNumber)
In this case, you need to use CN-ID as the base for the definition. The important part there is that the RDN can't be repeated multiple times in a DN. If it does, that would make the whole DN not suitable for use a la RFC 6125. > It's X.520.. via 802.1AR and RFC5280 section 4.1.2.4. > https://www.itu.int/rec/dologin_pub.asp?lang=e&id=T-REC-X.520-201610-I!!PDF-E&type=items > section 6.2.9. > > o Client authentication is automated using Initial Device Identity > (IDevID) as per the EST certificate based client authentication. > The subject field's DN encoding MUST include the "serialNumber" > - attribute with the device's unique serial number. > + attribute with the device's unique serial number as explained in > + Section 2.3.1 > > - o This extends the informal set of "identifer type" values defined > - in [RFC6125] to include a SERIALNUM-ID category of identifier that > - can be included in a certificate and therefore that can also be > - used for matching purposes. As noted in that document this is not _______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima