>4.6. Server Identity Check
>
>The client SHOULD check its understanding of the server's hostname
>against the server's identity as presented in the server's Certificate
>message, in order to prevent man-in-the-middle attacks.
>
>If a subjectAltName extension of type dNSName is present, it SHOULD
be
>used as the source of the server's identity.
>
Paragraph is duplicate
>Matching is performed according to these rules:
>
> - The client MUST use the server hostname it used to
open
> the LDAP connection as the value to compare
against the
> server name as expressed in the server's
certificate.
> The client MUST NOT use the server's canonical
DNS name or
> any other derived form of name.
>
> - If a subjectAltName extension of type dNSName is present
> in the certificate, it SHOULD be used as
the source of the
> server's identity.
In the absence of a subjectAltName extension of type dNSName in the
certificate: how should
the compare algorithm should look like, as the only ldap server name
in the cert - the
subjectName field - will be an X.500 Distinguished Name? Some RDNs
may contain rfc822MailBox
names or something else that allows a mapping onto the servers hostname.
The cert may also contain subjectAltName extensions distinct from dNSName,
but nevertheless
suitable for identity check, e.g rfc822Name, uniformResourceIdentifier
or iPAddress.
The original text seems to mandate, that an Ldap server needs to possess
a cert with the
dNSName altName extension.
>
> - Matching is case-insensitive.
>
> - The "*" wildcard character is allowed.
begin: vcard fn: Helmut Baumgaertner n: Baumgaertner;Helmut email;internet: Helmut.Baumgaertner@mch.sni.de x-mozilla-cpt: ;0 x-mozilla-html: FALSE end: vcard