> -----Original Message----- > From: Bernard Aboba [mailto:[EMAIL PROTECTED] > Sent: Monday, June 11, 2007 3:01 PM > To: Joseph Salowey (jsalowey); [email protected] > Subject: RE: [Emu] Issue: Encoding of NAIs within EAP-TLS certificates > > > Joe Salowey > > > Ok the text below seems to mandate rfc822 SubjectAltName in > all cases. > > How about just removing the reference to the emailAddress RDN from > > that paragraph. Perhaps replacing it by: > > > > "If subject naming information is present only in the subject name > > field and the peer identity represents a host or device the subject > > name field SHOULD contain a CN RDN or serialNumber RDN." > > This looks ok. I think the analog for the server side is as follows: > > "If subject naming information is present only in the subject > name field of a server certificate, then the subject name > field MUST contain a CN RDN or serialNumber RDN." > [Joe] Should this be 'MUST' or 'SHOULD'?
> > It is RECOMMENDED that > > when the peer identity represents a user the Subject distinguished > > name should not contain an emailAddress RDN, but rather use > the rfc822 > > SubjectAltName as described above." > > Are we saying that the Subject DN should contain something > other than an emailAddress RDN, or are we saying that it > should not be present at all? > > The analog of the RFC 3280 language would appear to be the following: > > "Conforming implementations generating new certificates with > network access identifiers MUST use the rfc822Name in the > subject alternative name field to describe such identities. > The use of the subject name field to contain an emailAddress > RDN is deprecated, and MUST NOT be used." > > This says that new certificates utilizing rfc822Names always > use the subjectAltName field, rather than the subject DN. > [Joe] OK this is for NAI. How about adding a sentence for non NAI identities. "The subject name field MAY contain Runs for representing non-NAI identities." > > _______________________________________________ Emu mailing list [email protected] https://www1.ietf.org/mailman/listinfo/emu
