RFC Errata
RFC 5280, "Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile", May 2008
Note: This RFC has been updated by RFC 6818, RFC 8398, RFC 8399, RFC 9549
Source of RFC: pkix (sec)
Errata ID: 5876
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT
Reported By: David Woodhouse
Date Reported: 2019-10-16
Held for Document Update by: Benjamin Kaduk
Date Held: 2019-10-20
Section 4.2.1.6 says:
When the subjectAltName extension contains an iPAddress, the address MUST be stored in the octet string in "network byte order", as specified in [RFC791].
It should say:
When the subjectAltName extension contains an IP address, the address MUST be stored in the iPAddress (an octet string). The address MUST be stored in the octet string in "network byte order", as specified in [RFC791].
Notes:
For email addresses and domain names, this section is very prescriptive:
When the subjectAltName extension contains an Internet mail address,
the address MUST be stored in the rfc822Name.
...
When the subjectAltName extension contains a domain name system
label, the domain name MUST be stored in the dNSName…
However, for IP addresses, it's possible to interpret the current wording as saying that *if* you happen to choose the iPAddress form for an IP address, then you must represent that as big-endian. I suspect this was a poor choice of wording and the intent was to say that you MUST use the iPAddress form for an IP address.