[1] RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile ( 版) <http://tools.ietf.org/html/rfc5280#section-4.2.1.6>
When the subjectAltName extension contains an Internet mail address,
the address MUST be stored in the rfc822Name. The format of an
rfc822Name is a "Mailbox" as defined in Section 4.1.2 of [RFC2821].
A Mailbox has the form "Local-part@Domain".
[2] RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile ( 版) <http://tools.ietf.org/html/rfc5280#section-4.2.1.10>
A name constraint for Internet mail addresses MAY specify a
particular mailbox, all addresses at a particular host, or all
mailboxes in a domain. To indicate a particular mailbox, the
constraint is the complete mail address. For example,
"root@example.com" indicates the root mailbox on the host
"example.com". To indicate all Internet mail addresses on a
particular host, the constraint is specified as the host name. For
example, the constraint "example.com" is satisfied by any mail
address at the host "example.com". To specify any address within a
domain, the constraint is specified with a leading period (as with
URIs). For example, ".example.com" indicates all the Internet mail
addresses in the domain "example.com", but not Internet mail
addresses on the host "example.com".
[3] RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile ( 版) <http://tools.ietf.org/html/rfc5280#section-4.2.1.10>
Legacy implementations exist where an electronic mail address is
embedded in the subject distinguished name in an attribute of type
emailAddress (Section 4.1.2.6). When constraints are imposed on the
Cooper, et al. Standards Track [Page 41]
page-42
RFC 5280 PKIX Certificate and CRL Profile May 2008
rfc822Name name form, but the certificate does not include a subject
alternative name, the rfc822Name constraint MUST be applied to the
attribute of type emailAddress in the subject distinguished name.
[4] RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile ( 版) <http://tools.ietf.org/html/rfc5280#section-7.5>
Where the host-part (the Domain of the Mailbox) contains an
internationalized name, the domain name MUST be converted from an IDN
to the ASCII Compatible Encoding (ACE) format as specified in Section
7.2.
Two email addresses are considered to match if:
1) the local-part of each name is an exact match, AND
2) the host-part of each name matches using a case-insensitive
ASCII comparison.
Implementations should convert the host-part of internationalized
email addresses specified in these extensions to Unicode before
display. Specifically, conforming implementations should perform the
conversion of the host-part of the Mailbox as described in Section
7.2.