Re: FQDN goes in commonName or domainComponent?

[Stephen Kent <kent@bbn.com>]

At 6:52 PM -0800 11/14/02, Brian Korver wrote:
>Re: draft-ietf-ipsec-pki-profile-01.txt
>
>On Wednesday, November 13, 2002, at 08:41 AM, Housley, Russ wrote:
>>>>In section 4.1.2.2.2, describing conventions for FQDN Host Names, 
>>>>I think that the SHOULD and MAY are backwards.  When a DQDN is 
>>>>carried in the subject field of a certificate, the 
>>>>domainComponent attribute SHOULD be used.  The commonName 
>>>>attribute MAY be used instead.  I prefer dNSName in the 
>>>>SubjectAltName extension to both of these!
>
>Your final statement agrees with the draft's SHOULD NOT.
>
>On the other hand, domainComponent isn't nearly as standard
>as commonName for containing FQDNs.  In fact, I'd be surprised
>if much software could even process that attribute type and
>display it to a user.
>
>Question to the list:  How common is support domainComponent?
>Which should be preferred?
>

FYI: BBN has developed open source CA software under the DARPA CHATS 
(Composable High Assurance Trusted Systems) program, which is being 
made freely available.  It supports the DC construct for domain names 
in the Subject or Issuer fields.

PKIX is pretty clear about what is preferred re DNS names, and 
putting them in the CN attribute is not the preferred answer.

Steve