Metadata Distribution Subcommittee of TAC

[Ian Young <>]

On 13 Dec 2013, at 11:33, Tom Scavo 
<>
 wrote:

> The certificate itself is signed with SHA-256 (not
> a big deal, but why not?).

I think that makes sense, if only to head off questions.

> The main question I have are the DNs. You
> can see what we've chosen in the output below. Is there some strategy
> to choosing something else? If so, I'm not seeing it.

>        Issuer: CN=fedop.incommonfederation.org

There's no requirement that a CN be a domain name AFAIK, that's just a 
convention used for end entity certificates associated with TLS. When I 
created the UKf signing certificate, I took advantage of that to use the DN 
to indicate the *purpose* of the certificate rather than necessarily the 
owner. So the UKf one looks like this:

        Issuer: C=GB, O=UK Access Management Federation for Education and 
Research, CN=UK Federation Metadata Signer

So that's an alternative strategy, although I wouldn't say that it makes a 
critical difference in any way.

        -- Ian

Attachment: smime.p7s
Description: S/MIME cryptographic signature