Re: [IETF-PKIX] PKIX Part 1: more clarity needed on AltNames

[Paul Hoffman / IMC <paulh@xxxxxxx>]

At 09:30 AM 12/31/97 -0500, David P. Kemp wrote:
>This case cannot arise: section 4.2 specifies that only one instance of
>a particular extension may appear in a particular certificate.

Whoops, I missed that. That clears up some of my questions. But..

>As to the case of a subject DN and a subjectAltName, I don't know if
>there is an answer to be found in part 1.

I couldn't find one; I think one is needed.

>My guess would be that
>the CA is vouching for the binding between each name in a certificate
>and the remaining contents of the certificate.

Each name individually, or as a group? "The rest of this cert applies to
either the DN xxx,yyy or the email address foo@bar.com" or "The rest of
this cert applies to DN xxx,yyy, but only when also thought of as
foo@bar.com"?

>It's probably a
>distinction without a difference to ask whether the CA is vouching for
>a binding between name A and name B - if both are bound to the same
>public key, (in the same cert or in separate otherwise identical certs)
>then they are implicitly equally valid, and it doesn't make much sense
>to ask which name is "definitive".

To me, this means "each name individually". I'm fine with this answer (and
with the other), but neither is clearly stated in the doc.

I can see a reason why "as a group" could be a logical choice. You might
issue one cert for the combination of a DN of "o=FooCo, cn=Chris Smith" and
a subjectAltName of "groupmailbox@foo.com", and a different cert for  DN of
"o=FooCo, cn=Kim Tong" and a subjectAltName of "groupmailbox@foo.com". Or,
the DNs might be the same (with an ou and no cn) but with different
subjectAltNames.

--Paul Hoffman, Director
--Internet Mail Consortium