> On Mar 15, 2021, at 7:58 AM, Eliot Lear <[email protected]>
> wrote:
>
> Architecturally, Rich is nailing it. We should be encouraging the use of
> SANs. However, use of SANs beyond the scope of the web may not be entirely
> ubiquitous, and so we should either be a bit more targeted, or slow roll the
> other uses with some backward compatibility language. Personally I like the
> latter approach. We shouldn’t hold up deprecation across the web due to the
> other uses, but we should encourage those other uses to move off of subject.
>
> If Rich and others are ok with that, I’m all for adoption.
Certificates are barely checked in SMTP at all (opportunistic
and at that), but to the extent that they are, I am not aware
of anyone who's got meaningful certificates that only have a
matching CN and no matching SAN.
It is fine to deprecate the requirement to support CNs in the
absence of a DNS-ID SAN also for SMTP (not just Web). Long
overdue.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
