[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Is eMail address in SubjectAltName still necessary
Title: Re: Is eMail address in SubjectAltName still
necessary
At 8:39 AM +0100 1/30/07, <Lorenz.Neher@xxxxxxxxxxxx>
wrote:
Hello
We issue
among others certificates for secure email to the public. Our standard
profile uses the email field according RFC 3280. We came to the
conclusion that all newer email implementation can handle email
addresses in the subject field a email.
We are now
in the process of implementing a automatic interface by means of CMP
(RFC 2510). The product attached and tested requests the email in the
certificate extension SubjectAltName. By browsing around I came across
RFC 3850 where is stated:
3. Using
Distinguished Names for Internet Mail
End-entity certificates MAY contain an
Internet mail address as described in [RFC-2822]. The address must be an "addr-spec"
as defined in Section 3.4.1 of that specification. The email address
SHOULD be in the subjectAltName extension, and SHOULD NOT be in the
subject distinguished name.
My
question:
- What is the current standard for
implementing email addresses in a X.509 v3 certificate?
- Is the RFC 822 email address in the
SubjectAltName still required or just optional for legacy
Thanks
Lorenz
Lorenz,
The situation is really the opposite of what you ask in your last
question, i.e., putting an e-mail address in the Subject DN is the
legacy approach. RFC 3280 strongly prefers putting an e-mail address
in the SAN over putting it in the Subject DN.
Steve