On Mon, Mar 24, 2008 at 12:18:25PM -0600, Peter Saint-Andre wrote: > Shumon Huque wrote: > > On Sun, Mar 23, 2008 at 10:58:58AM +0000, Alexey Melnikov wrote: > >> Have you compared this to recommendations in > >> draft-hodges-server-ident-check-00.txt? This draft has some extra > >> recommendation about internationalized domain names (IDN). > > > > Thanks for the pointer. That looks reasonable to me. If it > > gets published, 3920bis could reference that, and then add > > supplementary text for the the additional application specific > > checks, eg. what subjectAltName fields specifically to check > > and how. I would be okay with either SRVName or URI as a means > > to solve the application specific identity problem. > > As mentioned, I think SRVName is better for this.
I'm good with that .. > >> Also, draft-hodges-server-ident-check-00.txt prohibits wildcard checks > >> in CNs (case c). > > > > Hmm, personally I'm okay with this too (I've never been a fan > > of wildcards certs anyway). Unfortunately, the most likely > > case of seeing a wildcard today happens to be in the CN, so I > > would anticipate others might object to it .. > > I think the appropriate place for wildcards is in the dnsName, not the CN. > > Peter Yeah, I certainly agree with that. And more generally, domain names of any kind should not be placed in CN. I was mainly thinking of compatibility with widely used practice. But perhaps the revised spec is a good opportunity to explicitly denigrate bad practices! --Shumon.
