[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Another query on draft-ietf-ipsec-pki-req-03.txt
Section 3.2 says
The subject field in IPsec certificates SHOULD be populated and
non-null
(this is contrary to the PKIX certificate profile, which says
thatthe subject
MUST NOT be populated if the identification is in thesubjectAltName
field). The exact contents of this field are notstandardized. By
convention, a
minimal subject field containscountryName and commonName.
Distinguished
names SHOULD be no more thanfour attribute/value pairs, each of
which
SHOULD be no more than 128 characters in length (these restrictions
do
not appear in the PKIXcertificate profile). An IKE implementation
that
conforms to thisprofile SHOULD NOT reject a certificate that does
not
follow theserules.
Why? The rationale for this requirement is not immediately obvious.