Eric Rescorla <[EMAIL PROTECTED]> writes:

> This isn't really true in the SSL case:
> To a first order, everyone ignores any extensions (except sometimes
> the constraints) and uses the CN for the DNS name of the server.

Except some CAs make certs that can only work as an SSL server and not
an SSL client, or don't work with certain verifiers, or can't be
parsed right, or have the "commit-bit" set on some extensions.  It's
been a major pain in a problem that I'm working on -- not all vendor's
certs work properly.

> -Ekr


       Derek Atkins
       Computer and Internet Security Consultant

Reply via email to