To:
"Alexander Mayrhofer" <axelm@nic.at>, <ietf-provreg@cafax.se>
From:
"Hollenbeck, Scott" <shollenbeck@verisign.com>
Date:
Thu, 7 Dec 2006 07:05:19 -0500
Content-class:
urn:content-classes:message
Sender:
owner-ietf-provreg@cafax.se
Thread-Index:
AccZ6i+BiCBh3tWmS/m905hi7gydkAADUu1w
Thread-Topic:
Certificate Validation and Subject Analysis
Subject:
[ietf-provreg] RE: Certificate Validation and Subject Analysis
> -----Original Message----- > From: Alexander Mayrhofer [mailto:axelm@nic.at] > Sent: Thursday, December 07, 2006 5:26 AM > To: ietf-provreg@cafax.se; Hollenbeck, Scott > Subject: Re: Certificate Validation and Subject Analysis > > > I received a question from an IESG member about EPP > implementations and > > X.509 digital certificate validation. What are > implementers doing with > > the certificate subject name information when validating the > > certification path of a client or server? Is the name > being examined > > and/or used for authentication or access control purposes? > > Scott, > > we're now using two different toolkits - one homegrown (for > User-ENUM), and > Net::DRI (for upcoming .at registry, plus infrastructure ENUM). > > Neither of those toolkits currently does anything with the > certificates > provided be the registry - TLS is hence only used for > encryption, not for > authentication. > > that might change in the future, so any guidance about what to do is > appreciated. I think you'll find that guidance in the next update of 3734bis. Two IESG members have said that the document needs text to require use of the certificate subject as part of the authentication process. I hope to have the final version ready for IESG approval in the next day or so. I'm just waiting for one IESG member to confirm that the changes are acceptable. -Scott-