Joe Salowey > Ok the text below seems to mandate rfc822 SubjectAltName in all cases.> How > about just removing the reference to the emailAddress RDN from that> > paragraph. Perhaps replacing it by:> > "If subject naming information is > present only in the subject name field> and the peer identity represents a > host or device the subject name field> SHOULD contain a CN RDN or > serialNumber RDN." This looks ok. I think the analog for the server side is as follows: "If subject naming information is present only in the subject namefield of a server certificate, then the subject name fieldMUST contain a CN RDN or serialNumber RDN." > It is RECOMMENDED that> when the peer identity represents a user the Subject > distinguished name> should not contain an emailAddress RDN, but rather use > the rfc822> SubjectAltName as described above." Are we saying that the Subject DN should contain something other than an emailAddress RDN, or are we saying that it should not be present at all? The analog of the RFC 3280 language would appear to be the following: "Conforming implementations generating new certificateswith network access identifiers MUST use the rfc822Name in thesubject alternative name field to describe such identities. Theuse of the subject name field to contain an emailAddress RDNis deprecated, and MUST NOT be used." This says that new certificates utilizing rfc822Names always use the subjectAltName field, rather than the subject DN.
_______________________________________________ Emu mailing list [email protected] https://www1.ietf.org/mailman/listinfo/emu
