Peter Saint-Andre wrote:
On 3/17/10 10:58 PM, ArkanoiD wrote:
Well, when it comes to implementation we get *two* matching algorithms then,
which is definitely no good ;-).
Given that a self-signed certificate can say *anything*, I don't know
that it's helpful to enforce any rules about issuance and checking of
self-signed certs. It's not as if any "certification" has taken place in
this situation.
+1.
What is the rationale of enforcing CN to
be leaf RDN?
As I recall, Alexey Melnikov brought that up so I'll ping him about it.
The short answer is that only the leaf RDN corresponds to the entity to
which the certificate belongs. Other RDNs can correspond to entities
that signed the certificate. E.g. if subject name is:
cn=example.com, o=Certificated, cn=verisign.com, c=US
then it doesn't mean that verisign.com is the entity described by the
certificate.
_______________________________________________
certid mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/certid
