Chris,
Below is comment from Nelson Bolyard of the NSS team regarding
Geotrust's Power Server ID certificates. Could you clarify how Geotrust
is implementing these certificates (i.e., in terms of using CN vs.
SubjectAltName)? You may in fact be doing the conformant thing, and I've
misinterpreted the description at
http://www.geotrust.com/products/ssl_certificates/power_server_id.asp
Thanks in advance for any info you can provide on this.
Frank
Nelson B wrote:
Frank Hecker wrote:
In looking at Geotrust's request to add more root CA certs (bug 294916)
I happened to notice that Geotrust offers a somewhat similar service,
[snip]
From the product description it appears that one domain
goes in the CN attribute and the rest in SubjectAltName.
That's not conformant with the relevant RFC. RFC 2818 says:
If a subjectAltName extension of type dNSName is present, that MUST
be used as the identity. Otherwise, the (most specific) Common Name
field in the Subject field of the certificate MUST be used. Although
the use of the Common Name is existing practice, it is deprecated and
Certification Authorities are encouraged to use the dNSName instead.
It's either one or the other, not the union of the two. Conformant clients
will not recognize the name in the subject common name when the subject
alt name is present.
Subject alt name can have many names. Subject common name can have only one.
Subject Alt Name is the standard. Subject Common Name, the old defacto
standard, is now deprecated. There's no reason not to include ALL the
relevant names in the subject alt name.
I think we need to be clear that, to be admitted to mozilla's CA list,
CAs must be conforming with the relevant RFCs.
--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
