RE: [xri] Subject Auth Name?

["Schleiff, Marty" <marty.schleiff@boeing.com>]

Hi All,

SubjectAltName is where we have put XRI into X.509 certs we have issued
to devices. So far other software has not complained, so that's good;
however, so far no software we run has attempted to use the XRIs in the
subjectAltName. On these certificates we also populate subjectDN, and
that is what our software tends to use so far.

We also use subjectAltName in smart card certificates we issue to our
employees. However, for these certificates we include the user's Windows
UPN so they can be used for Windows logon (the value in subjectAltName
has to match the user's UPN in Active Directory so Windows can figure
out which user is represented). 

SubjectAltName can technically include multiple values, so we're
thinking about trying to include BOTH the user's UPN and XRI; however,
we haven't yet had the bandwidth to test this. We're apprehensive to try
it, because we expect a multi-valued subjectAltName will confuse COTS
software (similar to how many LDAP-enable COTS applications get confused
if the CN in an LDAP directory contains multiple values). Our primary
concern is in making subjectAltName multi-valued; we're less concerned
that one of the values would be an XRI. 


Marty.Schleiff@boeing.com; CISSP
Associate Technical Fellow
Information Security Technical Controls
(206) 679-5933

-----Original Message-----
From: RL 'Bob' Morgan [mailto:rlmorgan@washington.edu] 
Sent: Thursday, December 11, 2008 3:35 PM
To: Sakimura Nat
Cc: xri@lists.oasis-open.org
Subject: Re: [xri] Subject Auth Name? 


> I would be interested to learn more on Subject Auth Name in the certs.

> Could you point me to a reading material?

The field I was referring to is "Subject Alternative Name", aka
subjectAltName.  See section 4.2.1.6 of RFC 5280,
http://www.rfc-editor.org/rfc/rfc5280.txt .

The short version of a long story is that subjectAltName was added as an
extension in X.509v3 (in 1993 or so) in recognition of the fact that the
sorts of Internet entities that would be appropriate subjects of X.509
certs do not have X.500 Distinguished Names, they have things like RFC
2822 email addresses and DNS names and (later) URIs (see the full list
at the end of section 4.2.1.6).

So in theory it is fine for an X.509 cert to have only a subjectAltName
and no Subject.  In practice X.509 tools and vendors have focused on the
use of Subject DNs, one of the leading reasons why people avoid X.509
outside of the area of web server certs.  At my university we use
DNS-name subjectAltNames quite a lot and have found that support for
them in relying-party software is pretty good at this point.  Support in
UIs is another matter.  And as mentioned the commercial CAs to my
knowledge ignore them.

  - RL "Bob"


---------------------------------------------------------------------
To unsubscribe from this mail list, you must leave the OASIS TC that
generates this mail.  Follow this link to all your TCs in OASIS at:
https://www.oasis-open.org/apps/org/workgroup/portal/my_workgroups.php