Randy,
The authors of RFC 6487 can speak for themselves, but I think their
intent was to avoid requests for "vanity names" (CN="Joe's Pizza"
instead of CN="4DF2D88957372FF9FDA05C70F2D9E8BA334CFF89"), which
could be construed as eroding claims that the RPKI attests only to
things like addresses and autonomous system numbers.
As I recall the discussion at the time was based around a desire to
avoid any implication that the CA was attesting as to the identity of
the subject. i.e. the CA was explicitly not saying that the holder of
the public key was the individual described int subject field (section
4.5 of RFC6487).
except i vaguely remember a proposal to have there be special privileged
names for the certs of the rirs.
I floated that idea at one time, long, long, ago, but it is not in
the RFC, and I don't believe it is true in practice (although I admit
that I have not checked, personally).
Steve
_______________________________________________
sidr mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/sidr
