RE: What's in a Name?

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

RE: What's in a Name?

Stefan Santesson
Excuse the delayed response.

I'm not sure that the following is of any use in your discussion but, as
Larry points out, CA certificates compliant with RFC 3280 MUST contain a
non empty DN.

The reason is not just to provide a meaningful name of CA's but rather
that implementations may fail building the certificate path unless CA
certificates contains a DN.

Subject certificates may omit a subject DN but MUST then contain a
non-empty subjectAltName extension marked as critical.


Stefan Santesson
Program Manager, Standards Liaison
Windows Security
 

> -----Original Message-----
> From: Jeffrey Hutzelman [mailto:[hidden email]]
> Sent: den 14 juli 2005 17:23
> To: Liqiang(Larry) Zhu; [hidden email]
> Cc: [hidden email]; Stefan Santesson; [hidden email]
> Subject: RE: What's in a Name?
>
>
>
> On Thursday, July 14, 2005 05:15:50 PM -0700 "Liqiang(Larry) Zhu"
> <[hidden email]> wrote:
>
> > Jeffrey Hutzelman wrote:
> >> We run into those issues anyway for TD-TRUSTED-CERTIFIERS and
> > AD-INITIAL->
> >> VERIFIED-CAS.
> >
> > No, my assumption is the subject DN is always present for the CA
> > certificate.
>
> OK, so we don't run into the "Name not present" for
TD-TRUSTED-CERTIFIERS.
> What about AD-INITIAL-VERIFIED-CA's?  I don't remember; does that
include
> the leaf cert or only the CA's?
>