Paul Hoffman wrote: > > > 1. The certificate MUST include a "DNS-ID" (i.e., a subjectAltName > > identifier of type dNSName). > > . . . > > > Therefore, if and only if the identity set does not include > > subjectAltName extensions of type dNSName, SRVName, or > > uniformResourceIdentifier (or any application-specific subjectAltName > > extensions supported by the client), the client MAY as a fallback > > check for a fully-qualified DNS domain name in the last Common Name > > RDN in the sequence of RDNs making up the Distinguished Name within > > the certificate's subjectName (where the term "last" refers to the > > DER order, which is often not the string order presented to a user; > > the order that is applied here MUST be the DER order). > > Bzzzzzt! All of 3.4.4 is bogus, given that DNS-ID is required. Please remove > it.
I think this needs to stay. The document under discussion is supposed to be a BCP (Best current practice) document, and it will have to describe how clients should deal with server certificates that do no have subjectAltNames. It does so by describing the common practice that has been in use for certs that do not have subjectAltNames. -Martin _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
