"Amir Herzberg" <[EMAIL PROTECTED]> writes: > Ian Clelland said, > This is not as simple as one may expect. X.509 has a hierarchy mechanism > designed for allowing organizations issue (or at least control) > certificates of departments and employees - the Distinguished Name (DN) > and its keywords. However, browsers normally identify the server by its > DNS name, which is usually included in the dNSName attribute in the > subjectAltName extension, rather than in the X.509 DN. We could only hope :( It should be in the dNSName but actually, it's usually stuffed into the Common Name, unless things have changed.
> Anyway, the validation is up to the browser - it is _not_ part of the > SSL/TLS functionality. Furthermore, while X.509 and PKIX have mechanisms > to allow a root CA to restrict the scope of certificates issued by a > root CA, these mechanisms seem to focus on restricting the distinguished > names in the issued certificates, rather than the subjectAltName (and in > particular the DNS name). So my bet is that all or most browsers will > not reject certificates with arbitrary DNS names issues by a corporation > with a CA certified by RSA (or any other root CA). As far as I know, this is completely the case. -Ekr -- [Eric Rescorla [EMAIL PROTECTED]] http://www.rtfm.com/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]