[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: subjectAltName vs. CN in certificates
Kurt D. Zeilenga writes:
>At 05:33 AM 3/7/2005, Hallvard B Furuseth wrote:
>> This reminds me:
>>
>> Do implementations tend to obey this SHOULD (which is copied from
>> RFC 2830)?
>
> Well, s/the source/a source/ in the statement, yes.
In other words, no (the way I had read it). What I meant to ask
was if they REFRAIN from checking CN if subjectAltName is present.
Good to know I had misunderstood. I did think it was weird behaviour.
>> 3.1.6. Server Identity Check
>> - If a subjectAltName extension of type dNSName is present in the
>> certificate, it SHOULD be used as the source of the server's
>> identity.
>
> I rather just s/the source/a source/.
Yes. Or even s/the source/one source/.
--
Hallvard