--On Tuesday, February 27, 2007 10:41 AM +0100 Magnus Morén
<[EMAIL PROTECTED]> wrote:
Michael Ströder wrote:
Magnus Morén wrote:
2) What is the "best practice" here? Try to get Verisign to include
subjectaltname OR
A CA is free to issue certs based on their policy which also contains a
cert profile (including the extensions). One might suspect that
subjectAltName might be regarded as extension causing harm to the
pay-per-DNS-name business of Verisign...
True.
Does anybody knows about another CA (other than Verisign) that can
include subjectAltName ?
No. But @ Stanford, what we did, is get a cert for "*.stanford.edu" from
Comodo, and after I wrote a patch for OpenLDAP (Because comodo doesn't
issue the cert correctly, either), it works. The patch is part of the
OpenLDAP source from 2.2.something on.
Basically, I'm unaware of any commercial cert vendor that does things
correctly, because to do so would be an extreme revenue drain for them. So
there is no motivation to them to do it.
--Quanah
--
Quanah Gibson-Mount
Principal Software Developer
ITS/Shared Application Services
Stanford University
GnuPG Public Key: http://www.stanford.edu/~quanah/pgp.html
---
You are currently subscribed to [email protected] as: [EMAIL PROTECTED]
To unsubscribe send email to [EMAIL PROTECTED] with the word UNSUBSCRIBE as the
SUBJECT of the message.
