Hello, Viktor! Thanks for the help!
On 5/11/23 00:07, Viktor Dukhovni wrote:
On Wed, May 10, 2023 at 11:09:54PM -0400, Robert Moskowitz wrote:
I would want the Issuer DN to be these values. What might be the
preferred DN field for encoding this? CN? UNSTRUCTUREDADDRESS? (how is
this abbreviated?) serialNumber (SN)? or something else?
Do you have to try to encode these as X.509 names, or specifically in
the issuer or subject DNs? If the specification does not require this,
I'd recommend not attempting to assign any meaning to X.509 names.
Just use an uninterpreted unique Common name for each issuing CA, and
empty subject names for all EE certificates.
Kind of what I was thinking.
Any names that have meanings would then be Subject Alternative Names
of the relevant certificates. If there's a reasonable use case, you
could also employ Issuer Alternative Names.
https://datatracker.ietf.org/doc/html/rfc5280#section-4.2.1.7
4.2.1.7. Issuer Alternative Name
As with Section 4.2.1.6, this extension is used to associate Internet
style identities with the certificate issuer. Issuer alternative
name MUST be encoded as in 4.2.1.6. Issuer alternative names are not
processed as part of the certification path validation algorithm in
Section 6. (That is, issuer alternative names are not used in name
chaining and name constraints are not enforced.)
Not used in the path validation is an issue. So probably not the way to go.
As I was falling asleep last night I thought that authorityKeyIdentifier
is part of the solution.
issuerName is CN=20010030000000
authorityKeyIdentifier is iPAddress=20010030000000052aeb9adc1ce8b1ec
And no subjectName, just subjectAltName of iPAddress with the DET of
the subject entity.
