Richard Levitte <levitte@xxxxxxxxxxx> wrote:
> On Thu, 15 Aug 2019 00:47:41 +0200, Michael Richardson wrote:
>>
>>
>> Robert Moskowitz <rgm@xxxxxxxxxxxxxxx> wrote: > I am fiddling around
>> with an intermediate CA signing cert that the CA's > 'name' is it HIP
>> (RFC 7401) HIT which is a valid IPv6 address. Actually a >
>> Hierarchical HIT as in draft-moskowitz-hierarchical-hip (to be revised
>> soon).
>>
>> > For a client cert, it would be easy to put the HIT in subjectAltName
>> per RFC > 8002 (with a null subjectName), but a CA cert MUST have a
>> non-empty > subjectName.
>>
>> > Thus all I want in this subjectName is commonName with the HIT. > I
>> am looking for examples of IPv6 addresses in commonName.
>>
>> I thought that RFC3779 did exactly what you want, but it does not
>> define new Subject DN, but rather a new extension that will be bound
>> to the Subject. (I was surprised that RFC3779 was not in the SIDR
>> WG's list of documents,but I guess it preceeded the SIDR working
>> group, and occured in PKIX)
> OpenSSL does support that extension... crypto/x509v3/v3_addr.c (moved
> to crypto/x509/v3_addr.c in next major version) is all about that as
> far as I can see.
> Thanks for bringing that up. Trying to infer some kind of meaning into
> commonName would be a mistake (isn't previous such hacks the very
> reason we have the subjectAltName extension?)
Yes, but we didn't let (intermediate) CAs have an empty subject DN, SAN-only,
because we don't have an IssuerAltName for the next level.
--
] Never tell me the odds! | ipv6 mesh networks [
] Michael Richardson, Sandelman Software Works | IoT architect [
] mcr@xxxxxxxxxxxx http://www.sandelman.ca/ | ruby on rails [
Attachment:
signature.asc
Description: PGP signature
