Since nothing's referencing this specification yet anyway, why not
outline what people should do, rather than what they are doing?
Because this isn't a brand new subject area. This doc is intended (IMHO)
to clarify (lots and lots of) existing practice and nudge it in the right
direction, not start with a clean sheet.
A previous note mentioned the fact that DNs are hierarchical paths into
a directory. This, of course, is not true; X.500 does not exist as a
global/going concern, so DNs are in fact misleading in this context.
Let's stop pretending otherwise.
Indeed use of DNs in certs is disconnected from directory usage in
practice. Indeed people treat DNs as what they are syntactically, a
sequence of attribute-value assertions (sometimes "OU=(c) XYZ Corp 2010,
all rights reserved"). This doesn't change the fact that CAs almost
always, in my experience, put the intended subject name in the leaf RDN of
the Subject DN, just because doing otherwise is far less likely to work
with deployed software.
So it seems to me the doc should say:
* Use subjectAlt in all its wonderfulness.
* Use of Subject DN is traditional and not recommended and being phased
out, but if you do it you should put the element in a CN that is the leaf
RDN.
People will be looking to this spec to clarify this naming mystery.
Leaving out traditional practice because it's icky just leaves the mystery
to be documented in alleyways instead.
- RL "Bob"
_______________________________________________
certid mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/certid
