Hi Rich, A few of us just had this discussion in another context. Try this:
CAs MUST populate a SAN. Verifiers MUST use a SAN if present. Verifiers MUST reject certificates without a SAN by default. Verifiers MAY be configured to accept certificates without SANs when very long lived certificates are expected to be encountered. Eliot > On 19 Apr 2021, at 18:33, Salz, Rich <[email protected]> > wrote: > > I don’t know of a good way to address the concern raised by Eliot [1]. I > don't want to make the requirements weaker. I would really like to hear from > others. > > [1] https://mailarchive.ietf.org/arch/msg/uta/ayfVzc_j0kK7wY0_cW8OR9r81LE/ > > _______________________________________________ > Uta mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/uta
signature.asc
Description: Message signed with OpenPGP
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
