Re: [xri] Subject Auth Name?

["RL 'Bob' Morgan" <rlmorgan@washington.edu>]

> I would be interested to learn more on Subject Auth Name in the certs. 
> Could you point me to a reading material?

The field I was referring to is "Subject Alternative Name", aka 
subjectAltName.  See section 4.2.1.6 of RFC 5280, 
http://www.rfc-editor.org/rfc/rfc5280.txt .

The short version of a long story is that subjectAltName was added as an 
extension in X.509v3 (in 1993 or so) in recognition of the fact that the 
sorts of Internet entities that would be appropriate subjects of X.509 
certs do not have X.500 Distinguished Names, they have things like RFC 
2822 email addresses and DNS names and (later) URIs (see the full list at 
the end of section 4.2.1.6).

So in theory it is fine for an X.509 cert to have only a subjectAltName 
and no Subject.  In practice X.509 tools and vendors have focused on the 
use of Subject DNs, one of the leading reasons why people avoid X.509 
outside of the area of web server certs.  At my university we use DNS-name 
subjectAltNames quite a lot and have found that support for them in 
relying-party software is pretty good at this point.  Support in UIs is 
another matter.  And as mentioned the commercial CAs to my knowledge 
ignore them.

  - RL "Bob"