> "Matt Crawford" <[EMAIL PROTECTED]> writes:
> >... Netscrape ind Internet Exploder each have a hack for
> >honoring the same cert for multiple server names.  Opera seems to honor at
> >least one of the two hacks, and a cert can incorporate both at once.
> >
> >       /C=US/ST=Illinois/L=Batavia/O=Fermilab/OU=Services
> >       /CN=(alpha|bravo|charlie).fnal.gov/CN=alpha.fnal.gov
> >       /CN=bravo.fnal.gov/CN=charlie.fnal.gov
> Just to clarify this, so you need a multivalued CN, with one containing the
> expression "(a|b|c)" and the remaining containing each of "a", "b", and "c"?
> Is it multiple AVAs in an RDN, or multiple RDNs?   (Either of these could be
> hard to generate with a lot of software, which can't handle multiple AVAs in
> an RDN or multiple same-type RDNs).  Which hack is for MSIE and which is for
> Netscape?

Each CN is in a single-element RDN as usual. Netscape honors only the
first CN in the SubjectDN, but will treat it as a restricted regex
(shell-like * wildcard, alternation and grouping). IE checks the
server name against each CN's individually.

This was mainly determined by experimentation.  I think we did find a
limit on how long that first regex could be, but I don't remember
what it was.  Longer than my example, but short enough that some of
our bigger virtual-hosting servers were inconvenienced by it.

Openssl has no qualms about multiple same-type components.  You just
have to use the somewhat documented

0.commonName = ...
1.commonName = ...
2.commonName = ...

in the configuration file.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to