These are all good arguments (which I subscribe to) for why treating commercial X.509 as a "successful" trust infrastructure that other identity standards should be leveraging in place of new approaches is a really, really stupid idea.
But I don't think they're relevant to a document describing how one should verify server identity against X.509 certificate content, particularly with respect to anything that isn't a CN RDN or a sAN. By all means rail against the idiocy of this stuff, and I'll join in since there are still people pushing it constantly and belittling those who disagree, but I don't think it needs to be part of this draft. -- Scott _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
