On 10/17/19 17:49, David Woodhouse wrote: > On Thu, 2019-10-17 at 17:35 +0200, Laszlo Ersek wrote: >> Reference [2] advises to put the IP address in both CN and >> SAN.iPAddress >> for best compatibility, and that would be fine, for >> X509_VERIFY_PARAM_set1_ip(). But the word "only" in [3] is really bad >> for X509_VERIFY_PARAM_set1_ip(). > > I don't believe it's true, and it conflicts with what's in [2] which > suggests that you do it properly *and* put it in the legacy CN for the > benefit of broken clients. > > None of this convinces me that EDK2 should deliberately be one of those > "broken clients". Just fix it. Let people worry about compatibility > with historical buggy versions of proprietary operating systems when > they issue their certs. >
Personally I'm OK with this. Thanks Laszlo -=-=-=-=-=-=-=-=-=-=-=- Groups.io Links: You receive all messages sent to this group. View/Reply Online (#49236): https://edk2.groups.io/g/devel/message/49236 Mute This Topic: https://groups.io/mt/34551672/21656 Group Owner: devel+ow...@edk2.groups.io Unsubscribe: https://edk2.groups.io/g/devel/unsub [arch...@mail-archive.com] -=-=-=-=-=-=-=-=-=-=-=-
