Paul Hoffman wrote: > > If you feel that way, fine. We have historically seen deployed PKIX > implementations that got the order wrong because they had no certs > to test with. I do not hold it against someone to get the order wrong, > particularly because all of the text examples in RFC 5280 say > "dc=example,dc=com".
You're right on the spot -- all of the DC= examples in rfc-5280 are purely about >>domain name<<. There is also a server mentioned "ldap.example.com", but there is not a single example in rfc-5280 that puts a >>hostname<< into a DC component. So why does draft-saintandre-tls-server-id-check-06 come up with the idea of performing a server endpoint identification against a DC that includes a hostname? Rfc-2818 never suggested this! -Martin _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
