URL: https://github.com/freeipa/freeipa/pull/228
Title: #228: cert-request: allow directoryName in SAN extension

tiran commented:
I'm on topic and I'm trying to understand your point. Why do you see a 
relationship between the subject DN of a X.509 and the directoryName general 
name in SAN X.509v3 extension? It doesn't make sense to me. The subject follows 
different rules, e.g. a disjunct set of RDN attributes. Attributes like DC, UID 
etc. are not commonly found in a X.509 cert's subject.

Further more a CA usually imposes some policies and requires the certificate's 
subject to have fixed C, O, OU etc values. With multiple SubCAs (e.g. for VPN, 
client cert auth, host certs) we end up with different subject DNs but with the 
same directoryName GN SAN entry. The directoryName is designed to hold a LDAP 

By the way, I was quoting the RFC to give some context. With X.509 there is no 
such thing as an obvious thing. In fact multiple certs with the same Subject DN 
is very relevant and important for this topic. A certificate's Subject DN is 
not really a distinguishing name in the sense of a unique identifier.


See the full comment at 
Manage your subscription for the Freeipa-devel mailing list:
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to