looking for terminology recommendations concerning non-rooted FQDNs

Fri Feb 22 17:17:10 UTC 2013

On Fri, Feb 22, 2013 at 05:19:03PM +1100, Karl Auer wrote:
> It's a convention common enough and useful enough that I can see why
> people would want a handy term for it.

The core issue I'm trying to resolve surrounds the generation of a
CSR.  We're trying automate this process for a network appliance
my employer sells.

When our appliance generates a CSR for itself, among the steps is
to get a PTR record; by convention (or otherwise) these are rooted
domain names.

When we generate a CSR, we're choosing to include the rooted domain
name, as well as the other form (for now, I guess it should be
called a FQDN, the version without the trailing dot).

The resulting issued certificate has both forms in the SubjectAltName
field, and this allows both hostname forms to be used to establish
an SSL connection to our server.  They are considered distinct for
the Subject verification phase.

It's come to my attention that some commercial certificate vendors
think that having multiple hostnames in the SAN list costs more
money; go figure.  Our customers then have to go through some
soul-searching to pare down the list of hostnames in the SAN in the
CSR.

There's some understandable questions about why we include both
forms, and whether or not they are necessary.

We need to document our policies and recommendations, and I'm trying
to establish the vocabulary.

Hence my original question.  Irrespective of the state of RFCs,
there are competing conventions, and ambiguous terminology.  And I
was seeking guidance. :)

I do appreciate the feedback provided thus far.

> Regards, K.
> 
> -- 
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> Karl Auer (kauer at biplane.com.au)
> http://www.biplane.com.au/kauer
> http://www.biplane.com.au/blog

-- 
Brian Reichert				<reichert at numachi.com>
BSD admin/developer at large	