> 1. The certificate MUST include a "DNS-ID" (i.e., a subjectAltName > identifier of type dNSName).
. . . > Therefore, if and only if the identity set does not include > subjectAltName extensions of type dNSName, SRVName, or > uniformResourceIdentifier (or any application-specific subjectAltName > extensions supported by the client), the client MAY as a fallback > check for a fully-qualified DNS domain name in the last Common Name > RDN in the sequence of RDNs making up the Distinguished Name within > the certificate's subjectName (where the term "last" refers to the > DER order, which is often not the string order presented to a user; > the order that is applied here MUST be the DER order). Bzzzzzt! All of 3.4.4 is bogus, given that DNS-ID is required. Please remove it. --Paul Hoffman, Director --VPN Consortium _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
