On Mon, Oct 02, 2023 at 11:36:25AM +0000, Yao, Jiewen wrote: > Comment on subjectAltName. > > PCI-SIG realized that it may cause problem for certain device > and decided to remove such requirement in future ECN. > I don't think that is absolutely needed.
We have to follow what's in the spec. We can't just leave out certain elements because they might possibly maybe be removed in the future. PCIe r6.1 does require the Subject Alternative Name and that's the latest version, so we follow that. The ECN that you're referring to only exists as a draft in the PCISIG's Review Zone Archive. My understanding is that the Subject Alternative Name's purpose is to eliminate certain threats in the CMA threat model: The Subject Alternative Name is basically a signed version of the device's identity in config space. Without it, a different device might misappropriate a device's certificate + private key. If the Subject Alternative Name requirement is dropped, I would like to know how that threat is prevented instead? I don't quite understand what you mean by "may cause problem for certain device". I've asked the editor of the PCIe Base Spec why they're considering removing the requirement and the gist of the answer was -- I'm paraphrasing here -- that vendors thought the requirement is generally quite narrow and perceived as a straight-jacket and that at this point, more flexibility is desired as to the identification scheme. There was no mention at all of "problems for certain devices". Thanks, Lukas
