IPv6 address encoding in commonName

Michael Richardson mcr at sandelman.ca
Thu Aug 15 13:34:00 UTC 2019

Richard Levitte <levitte at openssl.org> wrote:
    > On Thu, 15 Aug 2019 00:47:41 +0200, Michael Richardson wrote:
    >> Robert Moskowitz <rgm at htt-consult.com> wrote: > I am fiddling around
    >> with an intermediate CA signing cert that the CA's > 'name' is it HIP
    >> (RFC 7401) HIT which is a valid IPv6 address. Actually a >
    >> Hierarchical HIT as in draft-moskowitz-hierarchical-hip (to be revised
    >> soon).
    >> > For a client cert, it would be easy to put the HIT in subjectAltName
    >> per RFC > 8002 (with a null subjectName), but a CA cert MUST have a
    >> non-empty > subjectName.
    >> > Thus all I want in this subjectName is commonName with the HIT.  > I
    >> am looking for examples of IPv6 addresses in commonName.
    >> I thought that RFC3779 did exactly what you want, but it does not
    >> define new Subject DN, but rather a new extension that will be bound
    >> to the Subject.  (I was surprised that RFC3779 was not in the SIDR
    >> WG's list of documents,but I guess it preceeded the SIDR working
    >> group, and occured in PKIX)

    > OpenSSL does support that extension...  crypto/x509v3/v3_addr.c (moved
    > to crypto/x509/v3_addr.c in next major version) is all about that as
    > far as I can see.

    > Thanks for bringing that up.  Trying to infer some kind of meaning into
    > commonName would be a mistake (isn't previous such hacks the very
    > reason we have the subjectAltName extension?)

Yes, but we didn't let (intermediate) CAs have an empty subject DN, SAN-only,
because we don't have an IssuerAltName for the next level.

]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        |    IoT architect   [
]     mcr at sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 487 bytes
Desc: not available
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20190815/6df78d0c/attachment.sig>

More information about the openssl-users mailing list