md-distro - Re: [md-distro] new self-signed signing certificate
Subject: Metadata Distribution Subcommittee of TAC
List archive
- From: Ian Young <>
- To:
- Subject: Re: [md-distro] new self-signed signing certificate
- Date: Fri, 13 Dec 2013 11:53:33 +0000
On 13 Dec 2013, at 11:33, Tom Scavo
<>
wrote:
> The certificate itself is signed with SHA-256 (not
> a big deal, but why not?).
I think that makes sense, if only to head off questions.
> The main question I have are the DNs. You
> can see what we've chosen in the output below. Is there some strategy
> to choosing something else? If so, I'm not seeing it.
> Issuer: CN=fedop.incommonfederation.org
There's no requirement that a CN be a domain name AFAIK, that's just a
convention used for end entity certificates associated with TLS. When I
created the UKf signing certificate, I took advantage of that to use the DN
to indicate the *purpose* of the certificate rather than necessarily the
owner. So the UKf one looks like this:
Issuer: C=GB, O=UK Access Management Federation for Education and
Research, CN=UK Federation Metadata Signer
So that's an alternative strategy, although I wouldn't say that it makes a
critical difference in any way.
-- Ian
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
- [md-distro] new self-signed signing certificate, Tom Scavo, 12/13/2013
- Re: [md-distro] new self-signed signing certificate, Ian Young, 12/13/2013
- Re: [md-distro] new self-signed signing certificate, Tom Scavo, 12/13/2013
- Re: [md-distro] new self-signed signing certificate, Ian Young, 12/13/2013
Archive powered by MHonArc 2.6.16.