|
Howard,
Thanks for the suggestion. I was thinking the very same thing myself last night, and I've now changed the flow of the paragraph as you suggested.
Roger
>>> Howard Chu <hyc@highlandsun.com> 10/22/2005 1:00 pm >>> Roger Harrison wrote: > > > I've reworked this paragraph on the CN/subjectName check based on > several comments in this thread. Here's what I now have: > > The server's identity may also be verified by comparing the reference > identity to the Common Name value in the leaf RDN of the subjectName > field of the server's certificate. Note that the TLS implementation may > display DNs in certificates according to X.509 conventions. For > example, some X.500 implementations order the RDNs in a DN using a > left-to-right (most significant to least significant) convention instead > of LDAP's right-to-left convention. This comparison is performed using > the rules for comparison of DNS names in section 3.1.3.1 below, with the > exception that no wildcard matching is allowed. Although the use of the > Common Name value is existing practice, it is deprecated and > Certification Authorities are encouraged to provide subjectAltName > values instead. > > Comments and feedback are welcome. I think the wording is good; the flow is a bit choppy. Perhaps the Note should be at the end of the paragraph, or a separate paragraph: The server's identity may also be verified by comparing the reference identity to the Common Name value in the leaf RDN of the subjectName field of the server's certificate. This comparison is performed using the rules for comparison of DNS names in section 3.1.3.1 below, with the exception that no wildcard matching is allowed. Although the use of the Common Name value is existing practice, it is deprecated and Certification Authorities are encouraged to provide subjectAltName values instead. Note that the TLS implementation may display DNs in certificates according to X.509 conventions. For example, some X.500 implementations order the RDNs in a DN using a left-to-right (most significant to least significant) convention instead of LDAP's right-to-left convention. Implementers should not blindly assume the left-most RDN is the leaf RDN. > Roger -- -- Howard Chu Chief Architect, Symas Corp. http://www.symas.com Director, Highland Sun http://highlandsun.com/hyc OpenLDAP Core Team http://www.openldap.org/project/ |