Bill Sommerfeld wrote:
1) expected relationship(s), if any between the certificate Subject and/or subjectAltName fields and the identity of the server or user which owns the certificate. (This of course opens up the "Naming is Hard" discussion.)
Host certificate matching against the server name should probably be mentioned in the Implementation Considerations section. Currently there are implementations that check either the host certificate subject CN, subjectAltName DNS names, or both, so we should recommend checking both of these for interoperability purposes.
Defining how to use user certificates is out of scope for this document in my opinion; mapping of certificates to system accounts is mostly just a configuration issue. There are a lot of different ways to do it, and I don't think we should place any requirements for the format of the certificates.
2) text regarding KeyUsage and ExtendedKeyUsage. 3) text regarding recommendations for certificate revocation checks. 4) discussion of how to handle certificate chains.
These are already covered by other documents. I don't really see the need for new ssh-specific extendedKeyUsage flags.
Regards, Oskari