[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: RE: [xri] Subject Auth Name?
> SubjectAltName can technically include multiple values, so we're > thinking about trying to include BOTH the user's UPN and XRI; however, > we haven't yet had the bandwidth to test this. We're apprehensive to try > it, because we expect a multi-valued subjectAltName will confuse COTS > software (similar to how many LDAP-enable COTS applications get confused > if the CN in an LDAP directory contains multiple values). Our primary > concern is in making subjectAltName multi-valued; we're less concerned > that one of the values would be an XRI. I suspect we are getting seriously off-topic (time for a beer, Marty), but let me just say that we have had cases where multiple altNames in certs is useful (both logical-service-name.foo.edu and specific-box-name.foo.edu in the same server cert) and we have found this to work remarkably well with COTS relying-party software. That is, it does what you want: goes through the set of altNames, finds the one that's useful, and ignores the rest. In fact the ability to have multiples is one of major benefits of altNames, since multiple CNs in a Subject DN is both technically illegal (as I recall) and (as I found out by asking X.509 implementors a few years ago, and by trying it) produces unknown results in deployed software. - RL "Bob"
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]