> 6. The certificate SHOULD NOT represent the server's fully-qualified > DNS domain name by means of a DC-ID, i.e., a series of Domain > Component (DC) attributes in the certificate subject, with one > RDN per domain label and one DC in each RDN. Although (for > example) <dc=www,dc=example,dc=com> could be used to represent > the DNS domain name "www.example.com", given the fact that the > DNS-ID can be used instead, the DC-ID is NOT RECOMMENDED.
This should be a MUST NOT. And the reason for the prohibition is not "DNS-ID can be used instead", but rather "this is insecure because you can interpret the series of RDNs incorrectly". --Paul Hoffman, Director --VPN Consortium _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
