Paul Hoffman wrote:
> At 11:54 AM -0500 3/27/08, Dean Willis wrote:
>> OpenSSL can generate SAN. None of my certs have it
.
>
> Off-list, Dean told me that his certs are CA certs,
which indeed
> should not have the domain name in the subjectAltName.
>
> But the bigger question is: how important is being able
to handle
> legacy certificates for this protocol?
The WG consensus so far has been that handling legacy
certificates
is very important. If we (i.e., the author team) get
guidance
from the ADs and SecDir that this can be relaxed, then we
can do
as you suggest.
> Because you are mandating that the certificates have to
have the new
> EKU [...]
Our thought was to have *new* certificates be issued with
the SIP EKU
and identity in SAN. However, legacy certificates will most
certainly
not have the SIP EKU, but could possibly have the identity
in SAN.
Thus the rules you see in the drafts to allow legacy
certificates to
be used while supporting newly issued certificates.
Thanks,
- vijay
--
Vijay K. Gurbani, Bell Laboratories, Alcatel-Lucent
2701 Lucent Lane, Rm. 9F-546, Lisle, Illinois 60532 (USA)
Email: vkg {alcatel-lucent.com,bell-labs.com,acm.org}
WWW: http://www.al
catel-lucent.com/bell-labs
_______________________________________________
Sip mailing list https://www
.ietf.org/mailman/listinfo/sip
This list is for NEW development of the core SIP Protocol
Use sip-implementorscs.columbia.edu for questions on current
sip
Use sippingietf.org for new developments on the application of
sip
|