On Thu, 15 Aug 2019 00:47:41 +0200, Michael Richardson wrote: > > > Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote: > > I am fiddling around with an intermediate CA signing cert that the CA's > > 'name' is it HIP (RFC 7401) HIT which is a valid IPv6 address. Actually a > > Hierarchical HIT as in draft-moskowitz-hierarchical-hip (to be revised soon). > > > For a client cert, it would be easy to put the HIT in subjectAltName per RFC > > 8002 (with a null subjectName), but a CA cert MUST have a non-empty > > subjectName. > > > Thus all I want in this subjectName is commonName with the HIT. > > I am looking for examples of IPv6 addresses in commonName. > > I thought that RFC3779 did exactly what you want, but it does not define new > Subject DN, but rather a new extension that will be bound to the Subject. > (I was surprised that RFC3779 was not in the SIDR WG's list of documents,but > I guess it preceeded the SIDR working group, and occured in PKIX) OpenSSL does support that extension... crypto/x509v3/v3_addr.c (moved to crypto/x509/v3_addr.c in next major version) is all about that as far as I can see. Thanks for bringing that up. Trying to infer some kind of meaning into commonName would be a mistake (isn't previous such hacks the very reason we have the subjectAltName extension?) > > In practice you could follow the nibble notation as already used > > for delegation of IPv6 reverse lookups in DNS. > > so more correctly: > DC=2/DC=0/DC=0/DC=1/DC=d/DC=b/DC=8 > > > However for the CN in the end cert you could perhaps use the full > > DNS reverse IPv6 name > > "x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.x.ip6.arpa" > > or the URL/Mail notation "[xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx]" > > where the hex notation shall be the shortest form permitted by the > > IPv6 notation spec. > > Bob, this seems like the best immediate hack to me. "hack" would be the operative word here. While it's true that this would fulfill the objective, I frankly wouldn't like to see such a cert. Cheers, Richard -- Richard Levitte levitte@xxxxxxxxxxx OpenSSL Project http://www.openssl.org/~levitte/
