At 11:54 AM -0500 3/27/08, Dean Willis wrote:
>OpenSSL can generate SAN. None of my certs have it .
Off-listk, Dean told me that his certs are CA certs, which indeed
should not have the domain name in the subjectAltName.
But the bigger question is: how important is being able to handle
legacy certificates for this protocol? In specific, section 7.1 of
the document says:
I-D.sip-eku [9] describes the method to validate any Extended Key
Usage values found in the certificate for a SIP domain.
Implementations MUST perform the checks prescribed by that
specification.
Given an X.509 certificate that the above checks have found to be
acceptable, the following describes how to determine what SIP
identity or identities it contains. . . .
Because you are mandating that the certificates have to have the new
EKU (or, if you adopt my earlier suggestion, a new PKIX extension
that is better suited to your needs), then you can also mandate that
the new certs need to follow RFC 3280 and put the domain name in the
subjectAltName. This is simpler, and will certainly lead to better
interoperability.
--Paul Hoffman, Director
--VPN Consortium
_______________________________________________
Sip mailing list https://www.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use [EMAIL PROTECTED] for questions on current sip
Use [EMAIL PROTECTED] for new developments on the application of sip
