[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xri] Subject Auth Name?
Hi All, SubjectAltName is where we have put XRI into X.509 certs we have issued to devices. So far other software has not complained, so that's good; however, so far no software we run has attempted to use the XRIs in the subjectAltName. On these certificates we also populate subjectDN, and that is what our software tends to use so far. We also use subjectAltName in smart card certificates we issue to our employees. However, for these certificates we include the user's Windows UPN so they can be used for Windows logon (the value in subjectAltName has to match the user's UPN in Active Directory so Windows can figure out which user is represented). SubjectAltName can technically include multiple values, so we're thinking about trying to include BOTH the user's UPN and XRI; however, we haven't yet had the bandwidth to test this. We're apprehensive to try it, because we expect a multi-valued subjectAltName will confuse COTS software (similar to how many LDAP-enable COTS applications get confused if the CN in an LDAP directory contains multiple values). Our primary concern is in making subjectAltName multi-valued; we're less concerned that one of the values would be an XRI. Marty.Schleiff@boeing.com; CISSP Associate Technical Fellow Information Security Technical Controls (206) 679-5933 -----Original Message----- From: RL 'Bob' Morgan [mailto:rlmorgan@washington.edu] Sent: Thursday, December 11, 2008 3:35 PM To: Sakimura Nat Cc: xri@lists.oasis-open.org Subject: Re: [xri] Subject Auth Name? > I would be interested to learn more on Subject Auth Name in the certs. > Could you point me to a reading material? The field I was referring to is "Subject Alternative Name", aka subjectAltName. See section 4.2.1.6 of RFC 5280, http://www.rfc-editor.org/rfc/rfc5280.txt . The short version of a long story is that subjectAltName was added as an extension in X.509v3 (in 1993 or so) in recognition of the fact that the sorts of Internet entities that would be appropriate subjects of X.509 certs do not have X.500 Distinguished Names, they have things like RFC 2822 email addresses and DNS names and (later) URIs (see the full list at the end of section 4.2.1.6). So in theory it is fine for an X.509 cert to have only a subjectAltName and no Subject. In practice X.509 tools and vendors have focused on the use of Subject DNs, one of the leading reasons why people avoid X.509 outside of the area of web server certs. At my university we use DNS-name subjectAltNames quite a lot and have found that support for them in relying-party software is pretty good at this point. Support in UIs is another matter. And as mentioned the commercial CAs to my knowledge ignore them. - RL "Bob" --------------------------------------------------------------------- To unsubscribe from this mail list, you must leave the OASIS TC that generates this mail. Follow this link to all your TCs in OASIS at: https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]