[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Adding revised identities to IKEv2
At 03:27 PM 11/8/2002 -0500, Stephen Kent wrote:
>At 8:42 AM -0800 11/8/02, Paul Hoffman / VPNC wrote:
>>At 10:46 AM +0100 11/8/02, Francis Dupont wrote:
>>>=> there is no agreement about what checks must be done:
>>> - common sense says the identity must be a subject of the certificate
>>> (but this is not clearly specified in IKEv1 and perhaps some
>>> implementations don't perform this check)
>>
>>That does not follow. There is no standard way for the Subject to be an
>>email address (the way folks do it now is a non-standard hack), there is
>>no standard way for the Subject to be an IP address. I'm not sure, but I
>>think the DC method of doing domain names in the Subject is also a
>>non-standard hack.
>
>I think the use of DC is a "standard hack," i.e., there is an RFC defining
>how to represent any DNS name in this fashion, and it may even state that
>this is the preferred way to do so if you use a DN rather than the SubAltname.
RFC 3280 requires support for DC. It says:
In addition, implementations of this specification MUST be prepared
to receive the domainComponent attribute, as defined in [RFC 2247].
The Domain Name System (DNS) provides a hierarchical resource
labeling system. This attribute provides a convenient mechanism for
organizations that wish to use DNs that parallel their DNS names.
This is not a replacement for the dNSName component of the
alternative name field. Implementations are not required to convert
such names into DNS names.
Russ