[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]
Subject: Re: [xri] Subject Auth Name?
Thanks! Well, my phone connection was not that great that I could really not hear you. SubjectAltName... of course! Need to re-read RFC5280 to find out the properties of it though... =nat RL 'Bob' Morgan wrote: >> I would be interested to learn more on Subject Auth Name in the certs. >> Could you point me to a reading material? >> > > The field I was referring to is "Subject Alternative Name", aka > subjectAltName. See section 4.2.1.6 of RFC 5280, > http://www.rfc-editor.org/rfc/rfc5280.txt . > > The short version of a long story is that subjectAltName was added as an > extension in X.509v3 (in 1993 or so) in recognition of the fact that the > sorts of Internet entities that would be appropriate subjects of X.509 > certs do not have X.500 Distinguished Names, they have things like RFC > 2822 email addresses and DNS names and (later) URIs (see the full list at > the end of section 4.2.1.6). > > So in theory it is fine for an X.509 cert to have only a subjectAltName > and no Subject. In practice X.509 tools and vendors have focused on the > use of Subject DNs, one of the leading reasons why people avoid X.509 > outside of the area of web server certs. At my university we use DNS-name > subjectAltNames quite a lot and have found that support for them in > relying-party software is pretty good at this point. Support in UIs is > another matter. And as mentioned the commercial CAs to my knowledge > ignore them. > > - RL "Bob" > >
[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]