[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: FQDN goes in commonName or domainComponent?

To: Niklas Hallqvist <niklas@appli.se>
Subject: Re: FQDN goes in commonName or domainComponent?
From: Brian Korver <briank@briank.com>
Date: Fri, 15 Nov 2002 11:00:31 -0800
CC: ipsec@lists.tislabs.com
References: <200211151445.gAFEjkaZ016986@ritz.appli.se>
Reply-To: Brian Korver <briank@xythos.com>
Sender: owner-ipsec@lists.tislabs.com

Niklas Hallqvist wrote:
> 
> I have no idea, but as an implementor, I have used it in a few
> semi-official projects when looking up certificate chains in DNS
> (using DNSSEC of course); isakmpd, konqueror and lynx.  I'd expect
> anyone wanting to do the same would have found the info in the
> suitable standard documents.  I preferred dNSName in subjectAltName,
> had DC as ary choice, and as fallback, CN.  I had no idea CN would be
> *more* standard than DC.  How are you to find that out?  It seemed
> more ad-hoc to me.
> 
> Niklas

It's more-or-less standard in several protocols (SSL for instance),
but I didn't mean standard in the sense of appearing in some
document (although that might be true too).

The issue isn't whether to use subjectAltName.  That is the right thing
to do.  The issue is:  if someone is going to place a domain name in
SubjectName (perhaps because it's a v1 certificate? :), then what
attribute should be used?

-brian
briank@briank.com

Follow-Ups:
- Re: FQDN goes in commonName or domainComponent?
  - From: Paul Hoffman / VPNC <paul.hoffman@vpnc.org>

References:
- Re: FQDN goes in commonName or domainComponent?
  - From: Niklas Hallqvist <niklas@appli.se>

Prev by Date: Re: support for v1 certificates?
Next by Date: Re: draft-ietf-ipsec-pki-profile-01.txt
Prev by thread: Re: FQDN goes in commonName or domainComponent?
Next by thread: Re: FQDN goes in commonName or domainComponent?
Index(es):
- Date
- Thread