Hi Victor, > > Certificates are barely checked in SMTP at all (opportunistic > and at that), but to the extent that they are, I am not aware > of anyone who's got meaningful certificates that only have a > matching CN and no matching SAN. > > It is fine to deprecate the requirement to support CNs in the > absence of a DNS-ID SAN also for SMTP (not just Web). Long > overdue.
I have no problem with this sort of thing either. In fact, perhaps now is the precise time to add this requirement for SMTP-based servers. My issue is more around certificates used to identify hardware (iDevIDs). In this case, if a SAN is included then implementations are requested to use HardwareModuleName from RFC 4108. I’m quite certain this is NOT what Rich had in mind when he was writing the document, and thus my suggestions. Eliot
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
