How about including: "Some deployments may require the presence of client and server authentication extended key usage extensions in certificates. Client implementations wishing to interoperate in these environments SHOULD check the server's certificate for an Extended Key Usage field implementations id-kp-serverAuth (1.3.6.1.5.5.7.3.1) or the special keyPurposeID anyExtendedKeyUsage. Server implementations wishing to interoperate in this environment SHOULD check the client's certificate for an Extended Key Usage field containing id-kp-clientAuth (1.3.6.1.5.5.7.3.2) or the special keyPurposeID anyExtendedKeyUsage. Note that these key usage extension identifiers for server and client authentication are somewhat generic and may not be sufficient to authorize an entity's role specifically as an EAP-TLS client or server."
Looks good.
> Can someone descirbe a case where there would be more than > one subjectAltName in a certificate? > I'm having a hard time wrapping my head around this case. > [Joe] The subjectAltName may contain a host name as DNSName and a manufacturing serial number as an OtherName or perhaps it may contain a UPN and a SIP URI.
Any recommendations on what we should say about this? _______________________________________________ Emu mailing list [email protected] https://www1.ietf.org/mailman/listinfo/emu
