[Date Prev][Date Next] [Chronological] [Thread] [Top]

subjectAltName vs. CN in certificates

To: ietf-ldapbis@OpenLDAP.org
Subject: subjectAltName vs. CN in certificates
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Mon, 7 Mar 2005 12:33:41 +0100
In-reply-to: <Pine.LNX.4.62.0503070007270.4686@perp.cac.washington.edu>
References: <hbf.20050306xwhh@bombur.uio.no> <Pine.LNX.4.62.0503070007270.4686@perp.cac.washington.edu>

This reminds me:

Do implementations tend to obey this SHOULD (which is copied from
RFC 2830)?

> 3.1.6. Server Identity Check
>     - If a subjectAltName extension of type dNSName is present in the
>       certificate, it SHOULD be used as the source of the server's
>       identity.

I've seen several mentions of a server accepting a host name
matching the CN even though a different subjectAltName is present.
If that is common, maybe the SHOULD above should be loosened to
bless current practice - but probably not to say "SHOULD check
both CN and subjectAltName".

RL 'Bob' Morgan writes:
>On Sun, 6 Mar 2005, Hallvard B Furuseth wrote:
>>> 3.1.6. Server Identity Check
>>
>>>   Matching is performed according to these rules:
>>
>> Can someone remind me why this is specified here instead of in [TLS]?
>> It doesn't look LDAP-specific.  I can't find the answer in the archive.
>
> TLS regards this as application-specific, and indeed applications do vary.
> TLS for SMTP says almost nothing about server name checking, for example.

-- 
Hallvard

Follow-Ups:
- Re: subjectAltName vs. CN in certificates
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

References:
- authmeth-14 notes
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: authmeth-14 notes
  - From: "RL 'Bob' Morgan" <rlmorgan@washington.edu>

Prev by Date: Re: protocol/authmeth: LDAP PDU vs. TLS PDU
Next by Date: Re: [Models] An attribute value should be equal to self
Index(es):
- Chronological
- Thread