3. Using Distinguished Names for Internet Mail End-entity certificates MAY contain an Internet mail address as described in [RFC-2822]. The address must be an "addr-spec" as defined in Section 3.4.1 of that specification. The email address SHOULD be in the subjectAltName extension, and SHOULD NOT be in the subject distinguished name.
4.1.2.6 Subject...Conforming implementations generating new certificates with electronic mail addresses MUST use the rfc822Name in the subject alternative name field (section 4.2.1.7) to describe such identities. Simultaneous inclusion of the EmailAddress attribute in the subject distinguished name to support legacy implementations is deprecated but permitted.
Hello
We issue among others certificates for secure email to the public. Our standard profile uses the email field according RFC 3280. We came to the conclusion that all newer email implementation can handle email addresses in the subject field a email.
We are now in the process of implementing a automatic interface by means of CMP (RFC 2510). The product attached and tested requests the email in the certificate extension SubjectAltName. By browsing around I came across RFC 3850 where is stated:
3. Using Distinguished Names for Internet Mail
End-entity certificates MAY contain an
Internet mail address as described in [RFC-2822]. The address
must be an "addr-spec" as defined in Section 3.4.1 of that specification. The
email address SHOULD be in the subjectAltName extension, and SHOULD NOT be in
the subject distinguished name.
My question:
-
What is the current standard for implementing email addresses in a X.509 v3
certificate?
- Is the RFC 822 email address
in the SubjectAltName still required or just optional for legacy
Thanks
Lorenz