W3C home > Mailing lists > Public > public-xg-webid@w3.org > January 2011

Re: Issuer Alternative Names

From: Jan Wildeboer <jan@wildeboer.net>
Date: Thu, 27 Jan 2011 14:59:43 +0100
Message-ID: <4D417A4F.1030906@wildeboer.net>
To: Henry Story <henry.story@bblfish.net>
CC: WebID XG <public-xg-webid@w3.org>
On 01/27/2011 02:49 PM, Henry Story wrote:

> Btw. nathan pointed a few days to the following RFC that has some useful
> background information on SAN's in certificates.
>    http://tools.ietf.org/html/draft-saintandre-tls-server-id-check-14
> I have not studied it in detail. If someone can gives us a one paragraph
> summary of what they are doing that would help.

AFAICS (quoted directly)

    For the primary audience of application protocol designers, this
    document provides recommended procedures for the representation and
    verification of application service identity within PKIX certificates
    used in the context of TLS.

    o  Move away from including and checking strings that look like
       domain names in the subject's Common Name.

    o  Move toward including and checking DNS domain names via the
       subjectAlternativeName extension designed for that purpose:

    o  Move toward including and checking even more specific
       subjectAlternativeName extensions where appropriate for the using
       protocol (e.g., uniformResourceIdentifier and the otherName form

    o  Move away from the issuance of so-called wildcard certificates
       (e.g., a certificate containing an identifier for

And also note 1.7.2:

The following topics are out of scope for this specification:

    o  Client or end-user identities.
    o  Identifiers other than fully-qualified DNS domain names.


It's aim is to have unified methods of service identity using PKIX in a 
uniform way. That would be my conclusion.

Received on Thursday, 27 January 2011 14:00:17 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:06:21 UTC