On Mon Sep 13 18:59:03 2010, Stefan Santesson wrote:
I agree here. Both to this and to former speakers stating that the
Well, I'd say the assertion is the presence of the SAN in the cert. I
mean, an assertion is a positive statement made *without* evidence.
The evidence is then the signature of the issuer, who certifies the
assertion - it doesn't matter who makes that assertion. But anyway,
that's somewhat moot, and as Shumon points out, we needn't care about
who authorized what unto whom.
is made by the CA and no the subject.
I'm struggling with the most easy to understand text, but I think
at least the correct thing:
"A DNS domain name, representing a domain for which the
issuer has asserted that the certified subject is a
provider of the identified service."
"The requested DNS domain name for the specified service. That is,
the domain name which would be found in the URI for the service, and
other protocol identifiers of a similar nature. Where the service is
directly requested by hostname, this domain name would be the
I think that covers all the cases I'd expect by example, without
worrying about who's asserting and certifying. No doubt someone will
reword with a sprinkling of 2119.
Dave Cridland - mailto:dave(_at_)cridland(_dot_)net -
Infotrope Polymer - ACAP, IMAP, ESMTP, and Lemonade
Ietf mailing list