On 4/1/10 11:23 AM, Shumon Huque wrote: > On Thu, Apr 01, 2010 at 12:59:11PM -0400, Scott Cantor wrote: >>> It seems that there is general requirement for URI matching. URIs are not >>> only used in subjectAltName, but are used in X.500 in general, i.e., for >>> RFID support. Defining uniformResourceIdentifier as just an IA5String may >>> also be a simplification. >> >> However, matching on URI makes a lot more sense as a certificate constraint >> if you also stop at that point rather than continuing to DNS or CN-based >> matching. If you just keep going, it's not worth much. > > Right. Most current software relies on being able to match any one > identity in the certificate. If there are multiple identities, then > the algorithm that should be used is to match more specific identities > first (eg. URI/SRVName before dNSName etc). I forget whether the > draft says that or not, but we discussed it.
Yes, it's in the draft. > Another way around this is to use URI/SRVName, but also have a > dNSName that includes an "application specific server name" which > might need to be locally configured in the client. See: > > http://www.ietf.org/mail-archive/web/apps-discuss/current/msg00935.html Shumon, including SRV query names in dNSName seems novel to me. Is that specified or recommended anywhere? Why not use SRVName instead and leave dNSName as a pure domain name? Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
