[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: authmeth-16 TLS issues
Roger Harrison wrote:
I've reworked this paragraph on the CN/subjectName check based on
several comments in this thread. Here's what I now have:
The server's identity may also be verified by comparing the reference
identity to the Common Name value in the leaf RDN of the subjectName
field of the server's certificate. Note that the TLS implementation may
display DNs in certificates according to X.509 conventions. For
example, some X.500 implementations order the RDNs in a DN using a
left-to-right (most significant to least significant) convention instead
of LDAP's rightâtoâleft convention. This comparison is performed using
the rules for comparison of DNS names in section 3.1.3.1 below, with the
exception that no wildcard matching is allowed. Although the use of the
Common Name value is existing practice, it is deprecated and
Certification Authorities are encouraged to provide subjectAltName
values instead.
Comments and feedback are welcome.
I think the wording is good; the flow is a bit choppy. Perhaps the Note
should be at the end of the paragraph, or a separate paragraph:
The server's identity may also be verified by comparing the reference
identity to the Common Name value in the leaf RDN of the subjectName
field of the server's certificate. This comparison is performed using
the rules for comparison of DNS names in section 3.1.3.1 below, with the
exception that no wildcard matching is allowed. Although the use of the
Common Name value is existing practice, it is deprecated and
Certification Authorities are encouraged to provide subjectAltName
values instead. Note that the TLS implementation may display DNs in
certificates according to X.509 conventions. For example, some X.500
implementations order the RDNs in a DN using a left-to-right (most
significant to least significant) convention instead of LDAP's
rightâtoâleft convention. Implementers should not blindly assume the
left-most RDN is the leaf RDN.
Roger
--
-- Howard Chu
Chief Architect, Symas Corp. http://www.symas.com
Director, Highland Sun http://highlandsun.com/hyc
OpenLDAP Core Team http://www.openldap.org/project/