On Thu, 2019-10-17 at 17:35 +0200, Laszlo Ersek wrote: > Reference [2] advises to put the IP address in both CN and > SAN.iPAddress > for best compatibility, and that would be fine, for > X509_VERIFY_PARAM_set1_ip(). But the word "only" in [3] is really bad > for X509_VERIFY_PARAM_set1_ip().
I don't believe it's true, and it conflicts with what's in [2] which suggests that you do it properly *and* put it in the legacy CN for the benefit of broken clients. None of this convinces me that EDK2 should deliberately be one of those "broken clients". Just fix it. Let people worry about compatibility with historical buggy versions of proprietary operating systems when they issue their certs. -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#49183): https://edk2.groups.io/g/devel/message/49183 Mute This Topic: https://groups.io/mt/34551672/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
smime.p7s
Description: S/MIME cryptographic signature
