[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: subjectAltName vs. CN in certificates
At 05:33 AM 3/7/2005, Hallvard B Furuseth wrote:
>This reminds me:
>
>Do implementations tend to obey this SHOULD (which is copied from
>RFC 2830)?
Well, s/the source/a source/ in the statement, yes.
The server identity could also be present in other subjectAltName
types, like ipAddress.
>> 3.1.6. Server Identity Check
>> - If a subjectAltName extension of type dNSName is present in the
>> certificate, it SHOULD be used as the source of the server's
>> identity.
>
>I've seen several mentions of a server accepting a host name
>matching the CN even though a different subjectAltName is present.
>If that is common, maybe the SHOULD above should be loosened to
>bless current practice - but probably not to say "SHOULD check
>both CN and subjectAltName".
I rather just s/the source/a source/.
>RL 'Bob' Morgan writes:
>>On Sun, 6 Mar 2005, Hallvard B Furuseth wrote:
>>>> 3.1.6. Server Identity Check
>>>
>>>> Matching is performed according to these rules:
>>>
>>> Can someone remind me why this is specified here instead of in [TLS]?
>>> It doesn't look LDAP-specific. I can't find the answer in the archive.
>>
>> TLS regards this as application-specific, and indeed applications do vary.
>> TLS for SMTP says almost nothing about server name checking, for example.
>
>--
>Hallvard