[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xri] Subject Auth Name?
> I would be interested to learn more on Subject Auth Name in the certs. > Could you point me to a reading material? The field I was referring to is "Subject Alternative Name", aka subjectAltName. See section 4.2.1.6 of RFC 5280, http://www.rfc-editor.org/rfc/rfc5280.txt . The short version of a long story is that subjectAltName was added as an extension in X.509v3 (in 1993 or so) in recognition of the fact that the sorts of Internet entities that would be appropriate subjects of X.509 certs do not have X.500 Distinguished Names, they have things like RFC 2822 email addresses and DNS names and (later) URIs (see the full list at the end of section 4.2.1.6). So in theory it is fine for an X.509 cert to have only a subjectAltName and no Subject. In practice X.509 tools and vendors have focused on the use of Subject DNs, one of the leading reasons why people avoid X.509 outside of the area of web server certs. At my university we use DNS-name subjectAltNames quite a lot and have found that support for them in relying-party software is pretty good at this point. Support in UIs is another matter. And as mentioned the commercial CAs to my knowledge ignore them. - RL "Bob"
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]