- From: Jan Wildeboer <jan@wildeboer.net>
- Date: Thu, 27 Jan 2011 14:59:43 +0100
- To: Henry Story <henry.story@bblfish.net>
- CC: WebID XG <public-xg-webid@w3.org>
On 01/27/2011 02:49 PM, Henry Story wrote:
> Btw. nathan pointed a few days to the following RFC that has some useful
> background information on SAN's in certificates.
> http://tools.ietf.org/html/draft-saintandre-tls-server-id-check-14
> I have not studied it in detail. If someone can gives us a one paragraph
> summary of what they are doing that would help.
AFAICS (quoted directly)
For the primary audience of application protocol designers, this
document provides recommended procedures for the representation and
verification of application service identity within PKIX certificates
used in the context of TLS.
o Move away from including and checking strings that look like
domain names in the subject's Common Name.
o Move toward including and checking DNS domain names via the
subjectAlternativeName extension designed for that purpose:
dNSName.
o Move toward including and checking even more specific
subjectAlternativeName extensions where appropriate for the using
protocol (e.g., uniformResourceIdentifier and the otherName form
SRVName).
o Move away from the issuance of so-called wildcard certificates
(e.g., a certificate containing an identifier for
"*.example.com").
And also note 1.7.2:
The following topics are out of scope for this specification:
o Client or end-user identities.
o Identifiers other than fully-qualified DNS domain names.
[...]
It's aim is to have unified methods of service identity using PKIX in a
uniform way. That would be my conclusion.
Jan
Received on Thursday, 27 January 2011 14:00:17 UTC