On 2010/05/31 08:18 PDT, Martin Rex wrote: > While there have been few implementations checking for multiple > CN= parts, the guideline in rfc-2818 for subjectAltNames seems > to be much clearer, that there can be more than one, and more > than one needs to be checked.
That is precisely what it says NOT to do. It says > If a subjectAltName extension of type dNSName is present, that MUST > be used as the identity. Otherwise, the (most specific) Common Name > field in the Subject field of the certificate MUST be used. The phrease "the (most specific) Common Name field in the subject field" is not plural. There is at most one Common Name attribute in the name that is *the* most specific one. The words "most specific" refer to its position in the list of RDNs, which are arranged (as encoded in the certificate Name field) from most general (first) to most specific (last). So, the most specific Common Name is the last of the Common Name attributes in the sequence of RDNs, as encoded in the certificate. _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
