[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [IETF-PKIX] Question about SubjectAltNames
> From: "Phillip H. Griffin" <asn1@MINDSPRING.COM>
> X.520 indicates that commonName is a reasonable solution. It
> states that:
> "The Common Name attribute type specifies an identifier of an object.
> A Common Name is not a directory name; it is a (possibly ambiguous)
> name by which the object is commonly known in some limited scope
> (such as an organization) and conforms to the naming conventions of
> the country or culture with which it is associated."
> This seems to cover your need. Examples are also given there:
> CN = "Mr. Robin Lachlan McLeod BSc(Hons) CEng MIEE";
> CN = "Divisional Coordination Committee";
> CN = "High Speed Modem".
I believe Jim's question, which I share, is: does X.509 (and/or PKIX)
require "Distinguished Names" to be "Directory Names"?
I am of the opinion that X.509 is not tied inextricably to X.500, and
that Authorities and Relying Parties should be free to use the
SEQUENCE OF RelativeDistinguishedName syntax (and the associated
nameConstraints extension) in any way that makes sense to them. Under
this scenario, it would be completely legal to have a subjectName of
"CN = High Speed Modem".
Unfortunately, this example is not a Directory Name, because it is
not unique identifier within the DIT. Many user communities (such as
MISSI) will restrict usage to Directory Names because that convention
makes many things simpler. But does X.509 require this restriction?