[caops-wg] GFD 125 CN for network entities

[Doug Olson]

I am a little puzzled by the statements in section
3.2.3 commonName of GFD125.

"For certificates issued to networked entities, typically the (primary) FQDN of
the server is included in the commonName. For regular network entity
certificates, there MUST NOT be any additional characters in the commonName[25].
[25]Some components of some grid middleware also recognize Kerberos-style
'service' names in the CN as well that look like 'servicename/fqdn'. In the
majority of the cases, a normal server certificate without the
'servicename/'-qualifier can be used as well – although the
documentation of the middleware will not always state that clearly. It is
recommended to phase out the 'servicename/'-qualifiers where possible."

This seems to take the point of view that there is only a single network
entity running a a given host, when there can be many network entities
on one host, bound to different ports and with different people responsible
for administering them.  I would think it is a better strategy to encourage
the use of 'servicename' qualifiers in the CN for different entities on the same
host and then require the use of DNSName in SubjectAltName for those people that
want to check an FQDN.
I think it is clearly NOT a good idea to force the reuse of a single host
certificate for many different services running on that host.  In this case you
either have all those services running in the same UID, or you make multiple
copies of the host private key, OR issue multiple certificates with the same
CN that are used for different entities (policy violation).

Doug