On 6/11/10 7:32 PM, Shumon Huque wrote: > On Fri, Jun 11, 2010 at 05:07:50PM -0700, Paul Hoffman wrote: >> 1. The certificate MUST include a "DNS-ID" (i.e., a subjectAltName >> identifier of type dNSName). >> >> 2. If the service using the certificate deploys a technology in >> which a server is discovered by means of DNS SRV records >> [DNS-SRV] (e.g., this is true of [XMPP]), then the certificate >> SHOULD include an "SRV-ID" (i.e., an instance of the SRVName form >> of otherName from the GeneralName structure in the subjectAltName >> as specified in [SRVNAME]). >> >> If 2 is true, what is the value of the required DNS-ID? > > I don't think (1) is correct. If someone intends to deploy a > certificate with an application specific name form such as SRV-ID > or URI-ID, then they typically would not want to have a dNSName > in the certificate, to make sure that the cert can't be (mis)used > for unrelated application services at that domain name. > > Of course one might decide to include dNSName too for transition > or backwards compatibility reasons. But I don't think that saying > the certificate MUST include a dNSName is correct.
Shumon, I think you are correct here, and that DNS-ID needs to be "SHOULD" instead of "MUST". Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
