RE: [xri] Subject Auth Name?

["RL 'Bob' Morgan" <rlmorgan@washington.edu>]

> SubjectAltName can technically include multiple values, so we're 
> thinking about trying to include BOTH the user's UPN and XRI; however, 
> we haven't yet had the bandwidth to test this. We're apprehensive to try 
> it, because we expect a multi-valued subjectAltName will confuse COTS 
> software (similar to how many LDAP-enable COTS applications get confused 
> if the CN in an LDAP directory contains multiple values). Our primary 
> concern is in making subjectAltName multi-valued; we're less concerned 
> that one of the values would be an XRI.

I suspect we are getting seriously off-topic (time for a beer, Marty), but 
let me just say that we have had cases where multiple altNames in certs is 
useful (both logical-service-name.foo.edu and specific-box-name.foo.edu in 
the same server cert) and we have found this to work remarkably well with 
COTS relying-party software.  That is, it does what you want:  goes 
through the set of altNames, finds the one that's useful, and ignores the 
rest.  In fact the ability to have multiples is one of major benefits of 
altNames, since multiple CNs in a Subject DN is both technically illegal 
(as I recall) and (as I found out by asking X.509 implementors a few years 
ago, and by trying it) produces unknown results in deployed software.

  - RL "Bob"