Paul Hoffman wrote: > At 11:54 AM -0500 3/27/08, Dean Willis wrote: >> OpenSSL can generate SAN. None of my certs have it . > > Off-list, Dean told me that his certs are CA certs, which indeed > should not have the domain name in the subjectAltName. > > But the bigger question is: how important is being able to handle > legacy certificates for this protocol?
The WG consensus so far has been that handling legacy certificates is very important. If we (i.e., the author team) get guidance from the ADs and SecDir that this can be relaxed, then we can do as you suggest. > Because you are mandating that the certificates have to have the new > EKU [...] Our thought was to have *new* certificates be issued with the SIP EKU and identity in SAN. However, legacy certificates will most certainly not have the SIP EKU, but could possibly have the identity in SAN. Thus the rules you see in the drafts to allow legacy certificates to be used while supporting newly issued certificates. Thanks, - vijay -- Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent 2701 Lucent Lane, Rm. 9F-546, Lisle, Illinois 60532 (USA) Email: [EMAIL PROTECTED],bell-labs.com,acm.org} WWW: http://www.alcatel-lucent.com/bell-labs _______________________________________________ Sip mailing list https://www.ietf.org/mailman/listinfo/sip This list is for NEW development of the core SIP Protocol Use [EMAIL PROTECTED] for questions on current sip Use [EMAIL PROTECTED] for new developments on the application of sip
