Correcting error in text below: > -----Original Message----- > From: Joseph Salowey (jsalowey) > Sent: Monday, June 11, 2007 9:29 PM > To: Bernard Aboba; [email protected] > Subject: RE: [Emu] Issue: Encoding of NAIs within EAP-TLS certificates > > > > > -----Original Message----- > > From: Bernard Aboba [mailto:[EMAIL PROTECTED] > > Sent: Monday, June 11, 2007 3:01 PM > > To: Joseph Salowey (jsalowey); [email protected] > > Subject: RE: [Emu] Issue: Encoding of NAIs within EAP-TLS > certificates > > > > > > Joe Salowey > > > > > Ok the text below seems to mandate rfc822 SubjectAltName in > > all cases. > > > How about just removing the reference to the emailAddress > RDN from > > > that paragraph. Perhaps replacing it by: > > > > > > "If subject naming information is present only in the > subject name > > > field and the peer identity represents a host or device > the subject > > > name field SHOULD contain a CN RDN or serialNumber RDN." > > > > This looks ok. I think the analog for the server side is > as follows: > > > > "If subject naming information is present only in the subject name > > field of a server certificate, then the subject name field MUST > > contain a CN RDN or serialNumber RDN." > > > [Joe] Should this be 'MUST' or 'SHOULD'? > > > > It is RECOMMENDED that > > > when the peer identity represents a user the Subject > distinguished > > > name should not contain an emailAddress RDN, but rather use > > the rfc822 > > > SubjectAltName as described above." > > > > Are we saying that the Subject DN should contain something > other than > > an emailAddress RDN, or are we saying that it should not be > present at > > all? > > > > The analog of the RFC 3280 language would appear to be the > following: > > > > "Conforming implementations generating new certificates > with network > > access identifiers MUST use the rfc822Name in the subject > alternative > > name field to describe such identities. > > The use of the subject name field to contain an emailAddress RDN is > > deprecated, and MUST NOT be used." > > > > This says that new certificates utilizing rfc822Names > always use the > > subjectAltName field, rather than the subject DN. > > > [Joe] OK this is for NAI. How about adding a sentence for > non NAI identities. > > "The subject name field MAY contain Runs for representing > non-NAI identities." >
s/Runs/RDNs > > > > > > _______________________________________________ > Emu mailing list > [email protected] > https://www1.ietf.org/mailman/listinfo/emu > _______________________________________________ Emu mailing list [email protected] https://www1.ietf.org/mailman/listinfo/emu
