[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Adding revised identities to IKEv2
At 1:21 PM -0800 11/8/02, Paul Hoffman / VPNC wrote:
>At 3:27 PM -0500 11/8/02, Stephen Kent wrote:
>>At 8:42 AM -0800 11/8/02, Paul Hoffman / VPNC wrote:
>>>At 10:46 AM +0100 11/8/02, Francis Dupont wrote:
>>>>=> there is no agreement about what checks must be done:
>>>> - common sense says the identity must be a subject of the certificate
>>>> (but this is not clearly specified in IKEv1 and perhaps some
>>>> implementations don't perform this check)
>>>
>>>That does not follow. There is no standard way for the Subject to
>>>be an email address (the way folks do it now is a non-standard
>>>hack), there is no standard way for the Subject to be an IP
>>>address. I'm not sure, but I think the DC method of doing domain
>>>names in the Subject is also a non-standard hack.
>>
>>I think the use of DC is a "standard hack," i.e., there is an RFC
>>defining how to represent any DNS name in this fashion, and it may
>>even state that this is the preferred way to do so if you use a DN
>>rather than the SubAltname.
>
>The "standard" (you can barely call it that), RFC 1274, preceded
>subjectAltName by many years. It is yet another example of being
>able to say two equivalent things in a PKIX certificate in two very
>different ways.
Agreed.
But if one had to have a DNS name in the Issuer field, e.g., because
PKIX mandates use of the Issuer DN in a CA cert, that's the only
standard game in town for a DNS representation, right?
Steve