Re: [pkix] Syntax of Subject Alternative Names field in a certificate
George Michaelson <ggm@algebras.org> Tue, 16 April 2024 22:09 UTC
Return-Path: <ggm@algebras.org>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E226C14CF18 for <pkix@ietfa.amsl.com>; Tue, 16 Apr 2024 15:09:04 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_NONE=-0.0001, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=algebras-org.20230601.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5RL_AhjUgqaY for <pkix@ietfa.amsl.com>; Tue, 16 Apr 2024 15:08:59 -0700 (PDT)
Received: from mail-oo1-xc33.google.com (mail-oo1-xc33.google.com [IPv6:2607:f8b0:4864:20::c33]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id ECA3AC14F73F for <pkix@ietf.org>; Tue, 16 Apr 2024 15:08:59 -0700 (PDT)
Received: by mail-oo1-xc33.google.com with SMTP id 006d021491bc7-5aa27dba8a1so3024186eaf.0 for <pkix@ietf.org>; Tue, 16 Apr 2024 15:08:59 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=algebras-org.20230601.gappssmtp.com; s=20230601; t=1713305338; x=1713910138; darn=ietf.org; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=6ccVrX6es1jT7ZC+0uEfrlZsM9nNePZoYDqEJJXAZrs=; b=L4Yek6Vs0Hu5YsfPRDUrgxFr5NAcyXafszlXhBq+3LSyQ71z0BXkMUySmaSe8nJfY/ HsC++PwLBumXhQuFDYhjavK+jJmfkapBonbwUaZWeDJfUnMIXIFxE7t2BM2XinT7QJRL 4a3kv5Nx29YVgHHQ4cjhT3A7OHZ0B2Clntm1e1GAUH7tbQ+T1Ngw+2txjOMeFOIM/ZDJ 7AGxWCTTnPc4b33t6vasvKSnXt83KNqswLvptz+XD10dokapVrA78zTMLW8vmBaxVBwf 5b6p8SBhVfTPh8Lj/o1DL0/w67zcm4358yQuEewsZkBsEa9VqwmnBC3Y1N5UMvExTtLF sEhw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1713305338; x=1713910138; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=6ccVrX6es1jT7ZC+0uEfrlZsM9nNePZoYDqEJJXAZrs=; b=Rti+YD3rGbVcCKX4gQAWpaJhAKrTQrLBFvJvuCF7eXBH0ahfn1LSIe7Bd8hrIVL4rv v8vgLiv+7q7/CWYyEkdTNXpzIldwsDIeFRynzjsK8ZMbXjMO2FhLfD6YEowvlIb9tqoq 728Z5yh2zuYrFDej+kUv7Z+jDhIsr2AbHiZhPgUxJXIskNNwu/bpfPsM6YQoIgz7/Wp2 lttpouXo1uyCFaJ9fA8XEFQPOgjWdRdB93fXHP3VSum6iCbrtkM+qLQRXcsTdT+ve4nS g8Cnjsu3Ik4HuKGreQiXV7hciiFp/7VpAjJeoBq9CIx7yN1HMxB8DaSW1dxFcbD2HVYg krjg==
X-Gm-Message-State: AOJu0YyTi0xfv5DK+C9sc/SYIBztweiV0+4AbKb/DdW/lXobQmYtBkP7 M982TpjlnvjXdZCAumurihBkKZFomCQu+icAyw3GFnTkAXtTHttkiI4wIfnRczsv/oJmi8O5Z2u kASwoNK0G0So8XdnDxvV2PsFKNCsMLCSShK4N7hTeApgLDY1zZ0Y=
X-Google-Smtp-Source: AGHT+IHepbn2ZKepQHXrkHIpyVK0x1lrrvTI09QynunLItgaQ1VESV/tYWFBhcdq6nNuUBJTIt1rNonUa1tw+bsQZ1o=
X-Received: by 2002:a05:6820:c13:b0:5ac:6891:cee7 with SMTP id eh19-20020a0568200c1300b005ac6891cee7mr11557870oob.3.1713305338252; Tue, 16 Apr 2024 15:08:58 -0700 (PDT)
MIME-Version: 1.0
References: <BY1PR15MB6150E0A016987E14C1991B40EF082@BY1PR15MB6150.namprd15.prod.outlook.com> <BY1PR15MB6150B48C505432B45AC299F5EF082@BY1PR15MB6150.namprd15.prod.outlook.com> <4bc8e888-232a-4298-b10f-441ce7d41e7a@nthpermutation.com>
In-Reply-To: <4bc8e888-232a-4298-b10f-441ce7d41e7a@nthpermutation.com>
From: George Michaelson <ggm@algebras.org>
Date: Wed, 17 Apr 2024 08:08:47 +1000
Message-ID: <CAKr6gn1fXrsLraoK7vTkxisFB4Qm2aSuaS9BPpM0FTGsgq3ieQ@mail.gmail.com>
To: Michael StJohns <msj@nthpermutation.com>
Cc: pkix@ietf.org
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
Archived-At: <https://mailarchive.ietf.org/arch/msg/pkix/wrgM2ivnNEc3kzNxQQjQ3wfspPQ>
Subject: Re: [pkix] Syntax of Subject Alternative Names field in a certificate
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 16 Apr 2024 22:09:04 -0000
You're right that its a question for another list but the disjoin between ASN.1 and OID on the one hand, and presentation format and input in .config tooling on the other hand is very strong here. In times past IETF has engaged in specifying things which strictly have nothing to do with on-the-wire bit sequences. sockets related stuff for instance. It's not common, and I don't think this fits the bill, but the problem is real: people get confused about presentation format and encoding. -G On Wed, Apr 17, 2024 at 1:52 AM Michael StJohns <msj@nthpermutation.com> wrote: > > Hi Andreas - > > You appear to be asking about how to make Openssl issue a cert with an SAN. That's not a topic for this list. > > This list is about IETF standards in the Public Key Infrastructure field of use. If you have a question about the ASN1 that goes into making an SAN OtherName, that would be more appropriate for this list. > > I'd suggest referring your questions to the OpenSSL community, or going to the repository and reading the code directly. > > Good luck - Mike > > > > > > > On 4/16/2024 8:12 AM, Andreas Maier wrote: > > Hi, I am trying to understand what the syntax is for the string value of the Subject Alternative Names field, particularly when it contains multiple entries. > > I was hopeful to find that in https://datatracker.ietf.org/doc/html/rfc5280 which as a section 4.2.1.6 “Subject Alternative Name” but I could not get that out of the syntax description in there. > > I can find examples which seem to suggest it is a comma-separated list of items, each of which has a type indicator (e.g. “DNS”), as in: > > DNS:{hostname1},IP:{ip2},email:{email},URI:{uri4} > > Some sources for the examples: > > https://www.openssl.org/docs/man1.0.2/man5/x509v3_config.html > https://support.hpe.com/hpesc/public/docDisplay?docId=sf000094754en_us&docLocale=en_US&page=index.html > https://www.linode.com/docs/guides/using-openssls-subjectaltname-with-multiple-site-domains/ use: > > Where is the syntax of the Subject Alternative Names field documented in an RFC? > Are the type indicators mandatory or optional? > > > > Kind regards, > > Andy > > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix > > > _______________________________________________ > pkix mailing list > pkix@ietf.org > https://www.ietf.org/mailman/listinfo/pkix
- [pkix] Syntax of Subject Alternative Names field … Andreas Maier
- Re: [pkix] Syntax of Subject Alternative Names fi… Jeffrey Walton
- Re: [pkix] Syntax of Subject Alternative Names fi… Michael StJohns
- Re: [pkix] Syntax of Subject Alternative Names fi… Denis
- Re: [pkix] Syntax of Subject Alternative Names fi… George Michaelson