On 6/14/10 8:55 PM, Paul Hoffman wrote: > At 4:12 PM +0200 6/14/10, Martin Rex wrote: >> Paul Hoffman wrote: >>> >>>> 1. The certificate MUST include a "DNS-ID" (i.e., a >>>> subjectAltName identifier of type dNSName). >>> >>> . . . >>> >>>> Therefore, if and only if the identity set does not include >>>> subjectAltName extensions of type dNSName, SRVName, or >>>> uniformResourceIdentifier (or any application-specific >>>> subjectAltName extensions supported by the client), the client >>>> MAY as a fallback check for a fully-qualified DNS domain name >>>> in the last Common Name RDN in the sequence of RDNs making up >>>> the Distinguished Name within the certificate's subjectName >>>> (where the term "last" refers to the DER order, which is often >>>> not the string order presented to a user; the order that is >>>> applied here MUST be the DER order). >>> >>> Bzzzzzt! All of 3.4.4 is bogus, given that DNS-ID is required. >>> Please remove it. >> >> I think this needs to stay. >> >> The document under discussion is supposed to be a BCP (Best current >> practice) document, and it will have to describe how clients should >> deal with server certificates that do no have subjectAltNames. It >> does so by describing the common practice that has been in use for >> certs that do not have subjectAltNames. > > That goes counter to the MUST-level statements in the document. You > either need to downgrade the MUST-level requirements, or get rid of > the sections that say, in essence, "if this MUST-level requirement is > not met, then do this".
I think this list is leaning toward saying that DNS-ID is a SHOULD, not a MUST, so the quoted text would be appropriate. Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
