Re: Adding revised identities to IKEv2

["Housley, Russ" <rhousley@rsasecurity.com>]

At 03:27 PM 11/8/2002 -0500, Stephen Kent wrote:
>At 8:42 AM -0800 11/8/02, Paul Hoffman / VPNC wrote:
>>At 10:46 AM +0100 11/8/02, Francis Dupont wrote:
>>>=> there is no agreement about what checks must be done:
>>>  - common sense says the identity must be a subject of the certificate
>>>    (but this is not clearly specified in IKEv1 and perhaps some
>>>     implementations don't perform this check)
>>
>>That does not follow. There is no standard way for the Subject to be an 
>>email address (the way folks do it now is a non-standard hack), there is 
>>no standard way for the Subject to be an IP address. I'm not sure, but I 
>>think the DC method of doing domain names in the Subject is also a 
>>non-standard hack.
>
>I think the use of DC is a "standard hack," i.e., there is an RFC defining 
>how to represent any DNS name in this fashion, and it may even state that 
>this is the preferred way to do so if you use a DN rather than the SubAltname.

RFC 3280 requires support for DC.  It says:

    In addition, implementations of this specification MUST be prepared
    to receive the domainComponent attribute, as defined in [RFC 2247].
    The Domain Name System (DNS) provides a hierarchical resource
    labeling system.  This attribute provides a convenient mechanism for
    organizations that wish to use DNs that parallel their DNS names.
    This is not a replacement for the dNSName component of the
    alternative name field.  Implementations are not required to convert
    such names into DNS names.

Russ