On Thu, Apr 01, 2010 at 12:59:11PM -0400, Scott Cantor wrote: > > It seems that there is general requirement for URI matching. URIs are not > > only used in subjectAltName, but are used in X.500 in general, i.e., for > > RFID support. Defining uniformResourceIdentifier as just an IA5String may > > also be a simplification. > > However, matching on URI makes a lot more sense as a certificate constraint > if you also stop at that point rather than continuing to DNS or CN-based > matching. If you just keep going, it's not worth much.
Right. Most current software relies on being able to match any one identity in the certificate. If there are multiple identities, then the algorithm that should be used is to match more specific identities first (eg. URI/SRVName before dNSName etc). I forget whether the draft says that or not, but we discussed it. Another way around this is to use URI/SRVName, but also have a dNSName that includes an "application specific server name" which might need to be locally configured in the client. See: http://www.ietf.org/mail-archive/web/apps-discuss/current/msg00935.html In fact, for anyone not in the apps list, I'd recommend reading the entire thread where some of these issues were discussed: http://www.ietf.org/mail-archive/web/apps-discuss/current/msg00902.html --Shumon. _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
