[Joe] I don't see any more confusion over having multiple serial numbers
than having multiples of any other attribute.
Placing multiple identities into a peer certificate represents an assertion
that the identities are equivalent. If they are not equivalent, then they
should be placed into separate certificates. If the identities are
equivalent, then you could put "[EMAIL PROTECTED]" and
"[EMAIL PROTECTED]" into a peer certificate, and the server would be free
to pick one (e.g. the first one), and use that to obtain the authorizations,
assuming that the peer proved possession of the private key.
With a serial number or MAC address, I don't think this logic holds.
Multiple serial numbers or MAC addresses are not equivalent. For example,
the server might take the first MAC address as the peer identity, but then
it might expect this to match the Called-Station-Id attribute, and it won't,
because that MAC address was the second one. So the server may need to do
something different, like check all of the potential identities. That
implies that identities really aren't equivalent, and probably belong in
separate certificates.
_______________________________________________
Emu mailing list
[email protected]
https://www1.ietf.org/mailman/listinfo/emu
