On Wed, Mar 31, 2010 at 07:46:59PM -0400, Scott Cantor wrote: > Somewhat paraphrasing a question that I think was asked at the app > area open meeting last week, is it the intention to encourage new > protocols/services that adopt/reference this proposal to favor > matching based on URIs where possible or appropriate?
That would be my inclination: use an application specific SAN form if possible. URI or SRVName would be the obvious candidates, since they are general purpose. But some apps already define their own custom SAN types. We do need to support current practice of domain names in CN/dNSName though. The draft currently has this text: Futhermore, currently the vast majority of deployed application servers use domain names in their certificates (typically via a subjectAltName extension of dNSName or a subjectName component of Common Name). Ideally, service operators would use application service identities in their certificates (such as an SRVName [SRVNAME], a URI, or an application-specific name form), since this would reduce the possibility of attacks against unrelated services at domain names that provide many different application services. > That's something I'm in favor of, and I think worrying about what > users think they're connecting to is really beside the point; users > don't get this stuff. Our software is supposed to do the right > things for them so that they don't have to. Yup, absolute agree. --Shumon. _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
