md-distro - Re: [md-distro] new self-signed signing certificate
Subject: Metadata Distribution Subcommittee of TAC
List archive
- From: Tom Scavo <>
- To:
- Subject: Re: [md-distro] new self-signed signing certificate
- Date: Fri, 13 Dec 2013 08:38:59 -0500
On Fri, Dec 13, 2013 at 6:53 AM, Ian Young
<>
wrote:
>
> On 13 Dec 2013, at 11:33, Tom Scavo
> <>
> wrote:
>
>> The main question I have are the DNs. You
>> can see what we've chosen in the output below. Is there some strategy
>> to choosing something else? If so, I'm not seeing it.
>
>> Issuer: CN=fedop.incommonfederation.org
>
> There's no requirement that a CN be a domain name AFAIK, that's just a
> convention used for end entity certificates associated with TLS. When I
> created the UKf signing certificate, I took advantage of that to use the DN
> to indicate the *purpose* of the certificate rather than necessarily the
> owner. So the UKf one looks like this:
>
> Issuer: C=GB, O=UK Access Management Federation for Education and
> Research, CN=UK Federation Metadata Signer
Thanks for that idea. That makes good sense, actually.
For additional input, I've decided to take this topic over to the TAC
mailing list as well. Ian, I encourage you to reiterate your
suggestion there. Let's see where this goes.
Tom
- [md-distro] new self-signed signing certificate, Tom Scavo, 12/13/2013
- Re: [md-distro] new self-signed signing certificate, Ian Young, 12/13/2013
- Re: [md-distro] new self-signed signing certificate, Tom Scavo, 12/13/2013
- Re: [md-distro] new self-signed signing certificate, Ian Young, 12/13/2013
Archive powered by MHonArc 2.6.16.