Shumon Huque wrote: > On Mon, Mar 24, 2008 at 12:18:25PM -0600, Peter Saint-Andre wrote: >> Shumon Huque wrote: >>> On Sun, Mar 23, 2008 at 10:58:58AM +0000, Alexey Melnikov wrote: >>>> Have you compared this to recommendations in >>>> draft-hodges-server-ident-check-00.txt? This draft has some extra >>>> recommendation about internationalized domain names (IDN). >>> Thanks for the pointer. That looks reasonable to me. If it >>> gets published, 3920bis could reference that, and then add >>> supplementary text for the the additional application specific >>> checks, eg. what subjectAltName fields specifically to check >>> and how. I would be okay with either SRVName or URI as a means >>> to solve the application specific identity problem. >> As mentioned, I think SRVName is better for this. > > I'm good with that ..
OK. >>>> Also, draft-hodges-server-ident-check-00.txt prohibits wildcard checks >>>> in CNs (case c). >>> Hmm, personally I'm okay with this too (I've never been a fan >>> of wildcards certs anyway). Unfortunately, the most likely >>> case of seeing a wildcard today happens to be in the CN, so I >>> would anticipate others might object to it .. >> I think the appropriate place for wildcards is in the dnsName, not the CN. >> >> Peter > > Yeah, I certainly agree with that. And more generally, domain names > of any kind should not be placed in CN. I was mainly thinking of > compatibility with widely used practice. But perhaps the revised > spec is a good opportunity to explicitly denigrate bad practices! I'll add some text about it in the next version of rfc3920bis (which I need to push out soon, since the existing version expires on April 7). Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
