Metadata Distribution Subcommittee of TAC

[Tom Scavo <>]

On Fri, Dec 13, 2013 at 6:53 AM, Ian Young 
<>
 wrote:
>
> On 13 Dec 2013, at 11:33, Tom Scavo 
> <>
>  wrote:
>
>> The main question I have are the DNs. You
>> can see what we've chosen in the output below. Is there some strategy
>> to choosing something else? If so, I'm not seeing it.
>
>>        Issuer: CN=fedop.incommonfederation.org
>
> There's no requirement that a CN be a domain name AFAIK, that's just a 
> convention used for end entity certificates associated with TLS. When I 
> created the UKf signing certificate, I took advantage of that to use the DN 
> to indicate the *purpose* of the certificate rather than necessarily the 
> owner. So the UKf one looks like this:
>
>         Issuer: C=GB, O=UK Access Management Federation for Education and 
> Research, CN=UK Federation Metadata Signer

Thanks for that idea. That makes good sense, actually.

For additional input, I've decided to take this topic over to the TAC
mailing list as well. Ian, I encourage you to reiterate your
suggestion there. Let's see where this goes.

Tom