> > If subject naming information is present only in the subject name > field and the peer identity represents a user, then the > subject name > field SHOULD contain an emailAddress RDN. If the peer identity > represents a host or device the subject name field SHOULD contain a > CN RDN or Serial Number RDN. > [rmh] If you say they can include a serialNumber (not Serial > Number) RDN then you have to specify processing symantics > when more than one are present, and discuss what sort of > value is used here, etc. > [rmh] I suggest dropping the " or Serial Number RDN" portion > of this text, we can if appropriate work on a appendix or > other RFC that discusses these issues; I suspect the right > answer will be to reference the Permanent Identifier RFC from > the PKIX working group which already deals with these problems. >
[Joe] Would you not have to do the same with email address or CN? It seems it would be possible for multiple of these to be present. There should not be any semantics associated with a serial number other than it is an identifier. It should not be interpreted as a MAC address or some other value without additional knowledge outside this specification. I agree that this would not be the place to consistently find a MAC address. I would prefer to keep Serial Number as a possibility as it is at least as relevant as the other fields. I would be fine with the previous text I posted with a MAY. > If subject naming information is present only in the subject name > field of a server certificate, then the subject name field MUST > contain a CN RDN or Serial Number RDN. > [rmh] See my prior statements on serialNumber RDN. > > _______________________________________________ Emu mailing list [email protected] https://www1.ietf.org/mailman/listinfo/emu
