On 17.07.2010 02:54, Martin Rex wrote:
> I do _not_ like the idea to make multiple CN= matching part of the
> standard. The clients that match on more than one CN= are quite few
> (mine does), it never was part of any standard or suggestion
Nor would I consider the wording "the (most specific) Common Name field
in the Subject field of the certificate" from RFC 2818 to be
authoritative or "part of a standard". Some implementers apparently
attached much importance to "(most specific)" in their reading of this
text, but I still wonder what the real intention was when that term was
added to / coined in RFC 2818. [1]
Just to be clear: I'm not advocating that CAs put multiple CNs into the
subject DN: I'm completely fine with having a strong recommendation in
section 3 ("Representation of Server Identity") for a single CN in the
subject only.
In section 4 ("Verification of Server Identity"), however, I think we
should expressly put an end to the debate of what "(most specific)" in
RFC 2818 really means, otherwise the confusion is perpetuated. Of the
two solutions - either explain at great length how it is to be
understood DER-encoding-wise, or just go loop over all CNs -, the latter
definitely seems preferrable to me.
Kaspar
[1] Looking through
http://www.imc.org/ietf-apps-tls/mail-archive/maillist.html didn't give
a clue, unfortunately.
_______________________________________________
certid mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/certid
