[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: URN in subjectAltName

To: Milan Sova <sova+pkix@xxxxxxxxx>, ietf-pkix@xxxxxxxx
Subject: Re: URN in subjectAltName
From: Paul Hoffman <paul.hoffman@xxxxxxxx>
Date: Fri, 26 Jan 2007 08:41:39 -0800
In-reply-to: <45B94A66.3030107@xxxxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <45B94A66.3030107@xxxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx


At 1:25 AM +0100 1/26/07, Milan Sova wrote:

	Hi.

	In our project, we mark end entities with URNs and need to include
these names in the certificates. We started with using
subjectAltName.URI field for this (as URN is a "subtype" of URI).
However, this practice clashes with RFC 3280 which explicitly requires
absolute URL for the field.

	Is there any specific reason for excluding URNs from subjectAltName?

Yes, but it is not a good one in my opinion. The URI use insubjectAltName is only meant to be a host computer reach by aprotocol, not a vanilla identifier such as a URN. Thus, there is therestriction that there has to be a host name.

If you want a URN, you should consider using otherName instead. This,of course, shows the silliness of the specificity of theuniformResourceIdentifier type, but it is needed if you want tofollow 3280.


--Paul Hoffman, Director
--VPN Consortium

References:
- URN in subjectAltName
  - From: Milan Sova

Prev by Date: URN in subjectAltName
Next by Date: Re: R X mie
Previous by thread: URN in subjectAltName
Next by thread: Re: URN in subjectAltName
Index(es):
- Date
- Thread