[161016] in North American Network Operators' Group
Re: looking for terminology recommendations concerning non-rooted
daemon@ATHENA.MIT.EDU (Brian Reichert)
Fri Feb 22 12:32:21 2013
Date: Fri, 22 Feb 2013 12:17:10 -0500
From: Brian Reichert <reichert@numachi.com>
To: Karl Auer <kauer@biplane.com.au>
In-Reply-To: <1361513943.28479.437.camel@karl>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Fri, Feb 22, 2013 at 05:19:03PM +1100, Karl Auer wrote:
> It's a convention common enough and useful enough that I can see why
> people would want a handy term for it.
The core issue I'm trying to resolve surrounds the generation of a
CSR. We're trying automate this process for a network appliance
my employer sells.
When our appliance generates a CSR for itself, among the steps is
to get a PTR record; by convention (or otherwise) these are rooted
domain names.
When we generate a CSR, we're choosing to include the rooted domain
name, as well as the other form (for now, I guess it should be
called a FQDN, the version without the trailing dot).
The resulting issued certificate has both forms in the SubjectAltName
field, and this allows both hostname forms to be used to establish
an SSL connection to our server. They are considered distinct for
the Subject verification phase.
It's come to my attention that some commercial certificate vendors
think that having multiple hostnames in the SAN list costs more
money; go figure. Our customers then have to go through some
soul-searching to pare down the list of hostnames in the SAN in the
CSR.
There's some understandable questions about why we include both
forms, and whether or not they are necessary.
We need to document our policies and recommendations, and I'm trying
to establish the vocabulary.
Hence my original question. Irrespective of the state of RFCs,
there are competing conventions, and ambiguous terminology. And I
was seeking guidance. :)
I do appreciate the feedback provided thus far.
> Regards, K.
>
> --
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Karl Auer (kauer@biplane.com.au)
> http://www.biplane.com.au/kauer
> http://www.biplane.com.au/blog
--
Brian Reichert <reichert@numachi.com>
BSD admin/developer at large
