> -----Original Message----- > From: Bernard Aboba [mailto:[EMAIL PROTECTED] > Sent: Wednesday, February 21, 2007 9:43 PM > To: [email protected] > Subject: RE: [Emu] RE: draft-simon-emu-rfc2716bis-07.txt > > [Joe] I don't see any more confusion over having multiple > serial numbers than having multiples of any other attribute. > > Placing multiple identities into a peer certificate > represents an assertion that the identities are equivalent. > If they are not equivalent, then they should be placed into > separate certificates. If the identities are equivalent, > then you could put "[EMAIL PROTECTED]" and > "[EMAIL PROTECTED]" into a peer certificate, and the server > would be free to pick one (e.g. the first one), and use that > to obtain the authorizations, assuming that the peer proved > possession of the private key. > [Joe] I don't see why this doesn't hold for serial numbers as well.
> With a serial number or MAC address, I don't think this logic holds. > Multiple serial numbers or MAC addresses are not equivalent. > For example, the server might take the first MAC address as > the peer identity, but then it might expect this to match the > Called-Station-Id attribute, and it won't, because that MAC > address was the second one. So the server may need to do > something different, like check all of the potential > identities. That implies that identities really aren't > equivalent, and probably belong in separate certificates. > [Joe] The same thing can happing with multiple CN or multiple email addresses. One of the values in the certificate may not match an authorization entry while another one may. Just to reiterate, I am not suggesting that serial number have MAC address semantics. > > > _______________________________________________ > Emu mailing list > [email protected] > https://www1.ietf.org/mailman/listinfo/emu > _______________________________________________ Emu mailing list [email protected] https://www1.ietf.org/mailman/listinfo/emu
