On Fri, Jun 11, 2010 at 05:07:50PM -0700, Paul Hoffman wrote: > 1. The certificate MUST include a "DNS-ID" (i.e., a subjectAltName > identifier of type dNSName). > > 2. If the service using the certificate deploys a technology in > which a server is discovered by means of DNS SRV records > [DNS-SRV] (e.g., this is true of [XMPP]), then the certificate > SHOULD include an "SRV-ID" (i.e., an instance of the SRVName form > of otherName from the GeneralName structure in the subjectAltName > as specified in [SRVNAME]). > > If 2 is true, what is the value of the required DNS-ID?
I don't think (1) is correct. If someone intends to deploy a certificate with an application specific name form such as SRV-ID or URI-ID, then they typically would not want to have a dNSName in the certificate, to make sure that the cert can't be (mis)used for unrelated application services at that domain name. Of course one might decide to include dNSName too for transition or backwards compatibility reasons. But I don't think that saying the certificate MUST include a dNSName is correct. --Shumon. _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
