[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: subjectAltName vs. CN in certificates

To: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>
Subject: Re: subjectAltName vs. CN in certificates
From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
Date: Tue, 8 Mar 2005 10:54:48 +0100
Cc: ietf-ldapbis@OpenLDAP.org
In-reply-to: <6.2.1.2.0.20050307225746.02c479c0@mail.openldap.org>
References: <hbf.20050306xwhh@bombur.uio.no> <Pine.LNX.4.62.0503070007270.4686@perp.cac.washington.edu> <hbf.20050307vppi@bombur.uio.no> <6.2.1.2.0.20050307225746.02c479c0@mail.openldap.org>

Kurt D. Zeilenga writes:
>At 05:33 AM 3/7/2005, Hallvard B Furuseth wrote:
>> This reminds me:
>>
>> Do implementations tend to obey this SHOULD (which is copied from
>> RFC 2830)?
>
> Well, s/the source/a source/ in the statement, yes.

In other words, no (the way I had read it).  What I meant to ask
was if they REFRAIN from checking CN if subjectAltName is present.
Good to know I had misunderstood.  I did think it was weird behaviour.

>> 3.1.6. Server Identity Check
>>     - If a subjectAltName extension of type dNSName is present in the
>>       certificate, it SHOULD be used as the source of the server's
>>       identity.
>
> I rather just s/the source/a source/.

Yes.  Or even s/the source/one source/.

-- 
Hallvard

References:
- authmeth-14 notes
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: authmeth-14 notes
  - From: "RL 'Bob' Morgan" <rlmorgan@washington.edu>
- subjectAltName vs. CN in certificates
  - From: Hallvard B Furuseth <h.b.furuseth@usit.uio.no>
- Re: subjectAltName vs. CN in certificates
  - From: "Kurt D. Zeilenga" <Kurt@OpenLDAP.org>

Prev by Date: Re: [Models] An attribute value should be equal to self
Next by Date: Re: [Models] An attribute value should be equal to self
Index(es):
- Chronological
- Thread