On 12/8/10 3:48 PM, =JeffH wrote: >> Possible text for the Security Considerations: >> >> ### >> >> 5.4. Multiple Identifiers >> >> This specification allows multiple DNS-IDs, SRV-IDs, or URI-IDs in a >> certificate, but discourages multiple CN-IDs. The inclusion in the >> Common Name of multiple strings whose form matches that of a fully- >> qualified DNS domain name (e.g., "www.example.com") makes it more >> difficult to parse the Common Name and increases the likelihood of >> false positives in the identity verification process. Although it >> would be preferable to forbid multiple CN-IDs entirely, there are >> several reasons why this specification states that they SHOULD NOT >> (instead of MUST NOT) be included: >> >> o At least one significant technology community of interest >> explicitly allows multiple CN-IDs [EV-CERTS]. >> >> o At least one significant certification authority is known to issue >> certificates containing multiple CN-IDs. >> >> o Many service providers often deem inclusion of multiple CN-IDs >> necessary in "virtual hosting" environments because at least one >> widely-deployed operating system does not yet support the Server >> Name Indication extension [TLS-EXT] >> >> It is hoped that the recommendation in this specification can be >> further tightened in the future. >> >> ### >> >> To be referenced from bullet #6 in Section 3.1: >> >> 6. The certificate MAY contain more than one DNS-ID, SRV-ID, or >> URI-ID (but SHOULD NOT contain more than one CN-ID, as further >> explained under Section 5.4). > > > in general looks good to me, thanks. > > However, I'd alter the first sentence to s/allows/accommodates/, and in > 2nd sentence s/discourages/explicitly discourages/. > > I'd alter the last sentence of 1st para s/reasons/reasons at this time/.
Agreed, and fixed. > And in terms of this.. > > The inclusion of > multiple strings whose form matches that of a fully-qualified DNS > domain name (e.g., "www.example.com") makes it more difficult to > parse the Common Name and therefore increases the likelihood of false > positives in the identity verification process. > > > ..well, no, it doesn't make it more difficult to parse, and "it" is the > Subject, not "the CN". There's multiple CN= AVAs in the Subject, but > parsing > them out is simple. I guess I'd just delete that entire middle sentence > "The > inclusion of...process." Well, since this text is in the security considerations section, presumably we need to provide some security-related justification for saying you SHOULD NOT include multiple CN-IDs, instead of mere aesthetic preference. :) Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
