kenji-lightship
commented
1 year ago I believe this is referring to Application Notes 63 and 97.
This looks like it is just a clarification of the 3rd paragraph of both application notes. At the moment, it reads like all matching is done according to RFC 6125. As the RFC 6125 is a separate selection from IP address matching selections for the reasons noted in the review comment.
Location: NDcPP: Application note 66; B.3.1.1 / Application note 99; B.3.1.5
Comment: Referencing RFC 6125 generically for matching rules is incorrect, and has caused confusion in previous versions. RFC 6125 is limited in scope to DNS-type names, and does not describe matching rules for IP addresses. An IP address is matched according to CIDR rules, or if IP ranges is not allowed, by byte-by-byte matching. Other name types described only in RFC 5280 are matched according to the rules/referenced standards in RFC 5280.
Suggested Change: We recognize that this is a long-standing area of disagreement, and suggest a discussion with NIAP, NSA SME, and Representive from NSA Center for Cybersecurity Standards, which may result in the below suggested changes:
Qualify sentence for RFC 6125 to only apply to the name types defined/in scope for RFC 6125 and provide correct references for matching other name-types.
Also consider (warning of) deprecation of support for embedded name types in the subject CN/ All references indicate that this is a non-standard, dangerous practice. Alternatively, require that the conversion from printed type to other formatted name types embedded in the CN be explained and tested.