[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: URN in subjectAltName
Paul Hoffman wrote:
>
> At 2:16 AM -0500 1/28/07, Russ Housley wrote:
>> At the time that RFC 2459 was written, URLs were the only things
>> mature enough to include here. No one asked this question during the
>> update to RFC 2459, which resulted in RFC 3280.
>>
>> Going forward, I see two possible ways to go forward:
>>
>> 1) Revisit the uri choice, and see if people think URNs ought to be
>> permitted. One obvious question is to determine whether existing
>> implementations would fail badly if a URN was received here.
>
> This seems like overkill given the low usage of URNs as identifiers that
> are associated with public keys.
Couldn't it be a kind of a chicken-egg problem?
>
>> 2) Define a way to carry URNs in an other name.
>
> Anders and I have suggested two legal ways to do this already.
I'm not sure I consider storing URNs in X502SerialNumber fully legal.
IMO there is/should be a difference in how a CA verifies those two
pieces of information.
In principle, I'm not against using a subjectAltName.otherName.URN if
it was standardized. I'd prefer the URI as a more natural place, though.
Regards
--
Milan Sova