Your right, there can be only one distinguished name. However there are also cases where there are more than one subjectAltName may be present with a empty DN also; I don't think mandating a DN is a good idea since 3280 doesn't do that.
Ryan -----Original Message----- From: Joseph Salowey (jsalowey) [mailto:[EMAIL PROTECTED] Sent: Wednesday, June 06, 2007 3:53 PM To: Bernard Aboba; [email protected] Subject: RE: [Emu] Proposed Resolution to multiple Peer-Id/Server-Id Issue Hi Bernard, I don't think a valid certificate can have multiple subject distinguished names. I think it would be more in line with RFC 3280 to treat the subject distinguished name as part of the valid name set if it is non-empty. "It is possible for more than one subjectAltName field to be present in a peer or server certificate in addition to a non-empty subject distinguished name. EAP-TLS implementations SHOULD export a non-empty Subject distinguished name along with all the subjectAltName fields within Peer-Ids or Server-Ids; all of the exported Peer-Ids and Server-Ids are considered valid. " Joe > -----Original Message----- > From: Bernard Aboba [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 05, 2007 10:05 PM > To: [email protected] > Subject: [Emu] Proposed Resolution to multiple Peer-Id/Server-Id Issue > > It has been pointed out that an EAP-TLS certificate can > contain multiple subject or subjectAltName fields. > > To address this, I propose that we add the following text to > Section 5.2: > > It is possible for more than one subjectAltName field to be > present in a peer or server certificate. Where more than one > subjectAltName field is present in a certificate, EAP-TLS > implementations SHOULD export all the subjectAltName fields > within Peer-Ids or > Server-Ids; all of the exported Peer-Ids and > Server-Ids are considered valid. > > Similarly, if more than one subject field is present in a > peer or server certificate, and no subjectAltName field is > present, then EAP-TLS implementations SHOULD export all of > the subject fields > within Peer-Ids and Server-Ids; all of the exported Peer-Ids and > Server-Ids are considered valid. > > _______________________________________________ Emu mailing list [email protected] https://www1.ietf.org/mailman/listinfo/emu _______________________________________________ Emu mailing list [email protected] https://www1.ietf.org/mailman/listinfo/emu
