[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
subjectAltName vs. CN in certificates
This reminds me:
Do implementations tend to obey this SHOULD (which is copied from
RFC 2830)?
> 3.1.6. Server Identity Check
> - If a subjectAltName extension of type dNSName is present in the
> certificate, it SHOULD be used as the source of the server's
> identity.
I've seen several mentions of a server accepting a host name
matching the CN even though a different subjectAltName is present.
If that is common, maybe the SHOULD above should be loosened to
bless current practice - but probably not to say "SHOULD check
both CN and subjectAltName".
RL 'Bob' Morgan writes:
>On Sun, 6 Mar 2005, Hallvard B Furuseth wrote:
>>> 3.1.6. Server Identity Check
>>
>>> Matching is performed according to these rules:
>>
>> Can someone remind me why this is specified here instead of in [TLS]?
>> It doesn't look LDAP-specific. I can't find the answer in the archive.
>
> TLS regards this as application-specific, and indeed applications do vary.
> TLS for SMTP says almost nothing about server name checking, for example.
--
Hallvard