Hi Bernard, I don't think a valid certificate can have multiple subject distinguished names. I think it would be more in line with RFC 3280 to treat the subject distinguished name as part of the valid name set if it is non-empty.
"It is possible for more than one subjectAltName field to be present in a peer or server certificate in addition to a non-empty subject distinguished name. EAP-TLS implementations SHOULD export a non-empty Subject distinguished name along with all the subjectAltName fields within Peer-Ids or Server-Ids; all of the exported Peer-Ids and Server-Ids are considered valid. " Joe > -----Original Message----- > From: Bernard Aboba [mailto:[EMAIL PROTECTED] > Sent: Tuesday, June 05, 2007 10:05 PM > To: emu@ietf.org > Subject: [Emu] Proposed Resolution to multiple Peer-Id/Server-Id Issue > > It has been pointed out that an EAP-TLS certificate can > contain multiple subject or subjectAltName fields. > > To address this, I propose that we add the following text to > Section 5.2: > > It is possible for more than one subjectAltName field to be > present in a peer or server certificate. Where more than one > subjectAltName field is present in a certificate, EAP-TLS > implementations SHOULD export all the subjectAltName fields > within Peer-Ids or > Server-Ids; all of the exported Peer-Ids and > Server-Ids are considered valid. > > Similarly, if more than one subject field is present in a > peer or server certificate, and no subjectAltName field is > present, then EAP-TLS implementations SHOULD export all of > the subject fields > within Peer-Ids and Server-Ids; all of the exported Peer-Ids and > Server-Ids are considered valid. > > _______________________________________________ Emu mailing list Emu@ietf.org https://www1.ietf.org/mailman/listinfo/emu
