Seiichi Kawamura wrote: >>> As far as X.509 certificates go, this point is correct, but using >>> IP addresses in subjectAltName (lower case s) is a really bad >>> idea anyway. We recommend against this in section 5.3.5 of >>> draft-carpenter-renum-needs-work-03 (which is under AD review for >>> Informational status).
> Yes. I agree. I did have doubts about focusing on subjectAltName as a > common example, but I could not come up with a better one right now. If there is a subsection that touches certificates, I think Subject and Issuer fields should also be mentioned, since CNs (common name) sometimes contain addresses. Mentioning them all should make a better example. I noticed Brian's draft does not mention this explicitly, but I take "Any other use of IP addresses in cryptographic material is likely to be similarly troublesome." is there to cover CNs too. I have added a Cc: to Stefan Winter, since Stefan is author of draft-ietf-radext-radsec-05 "RADIUS over TCP/TLS (RadSec)". The reason I noticed the address presentation problem with subjectAltName was when I was experimenting with RadSec. Part of the draft describes how to verify certificates when subjectAltName or CN contains IP addresses. > I did think the verification problem that Heikki mentioned is > important and can happen in other protocols so I might fix the > wording to focus on the problem. Certificates with IP addresses are sold and used, so I would not be surprised if address presentation leads to verification problems. -- Heikki Vatiainen, Arch Red Oy +358 44 087 6547 -------------------------------------------------------------------- IETF IPv6 working group mailing list ipv6@ietf.org Administrative Requests: https://www.ietf.org/mailman/listinfo/ipv6 --------------------------------------------------------------------
