When can we expect the implementation for the SubjectAltName?
http://www.ietf.org/rfc/rfc2459.txt - Jan 1999
Section "4.2.1.7 Subject Alternative Name"
http://www.ietf.org/rfc/rfc3280.txt -April 2002
Section "4.2.1.7 Subject Alternative Name"
dhiva
Michael Str�der wrote:
> Nelson B. Bolyard wrote:
>
>>
>> The comparison between the hostname in the URL (call it "hn") and the
>> name from the cert (either from the NS extension or from the subject CN
>> attribute, either way call it "cn") is then done as follows:
>>
>> Step 1. If hn does not contain a "dot", and cn does contain a dot,
>> then truncate cn at the left most dot.
>>
>> e.g. if hn is "www" and cn is "www.foo.com", truncate cn to be "www".
>>
>> Step 2. If "cn" is a regular expression (e.g. has wild card characters,
>> etc.) then test whether hn matches the regular expression in cn.
>> If so, the cert name matches, if not it is a mismatch error.
>> Either way, Stop here if cn is a regular expression.
>>
>> Step 3. "cn" is not a regular expression. compare the hn and cn
>> strings.
>> if they match, the cert name matches, stop.
>> Step 4. If hn contained a dot, compare the string to the right of the
>> leftmost dot in hn (that is, the domain part of hn) with the
>> string cn. If they match, the cert name is considered a match, stop.
>>
>> examples:
>> if hn is "www.foo.bar" and cn is "foo.bar", they will match.
>> if hn is "www.xxx.foo.bar" and cn is "foo.bar", they will not match.
>>
>> Step 5. The cert name is a mismatch. stop.
>
>
> For security reasons I would be glad if you drop steps 1. and 4.
>
> Ciao, Michael.
>
--- Begin Message ---
dhiva <[EMAIL PROTECTED]> wrote in message news:<[EMAIL PROTECTED]>...
> Jean-Marc Desperrier wrote:
> > dhiva wrote:
> >
> >> I have a Cert with CN as host name and multiple host name listed on
> >> SubjectAltName extension, but i am getting "Domain name mismatch warning"
> >
> >
> > ?
> >
> > I'm sorry, but I've never heard of this way of using SubjectAltName for
> > server certificates being normalized anywhere.
> > Can you supply information, if this is the case ?
>
> http://www.ietf.org/rfc/rfc2459.txt - Jan 1999
> Section "4.2.1.7 Subject Alternative Name"
>
> http://www.ietf.org/rfc/rfc3280.txt -April 2002
> Section "4.2.1.7 Subject Alternative Name"
>
> Let me know if i misunderstood.
>
> MORE INFO:
> I have a SSL Cert with CN=descriptive server name and Multiple host name
> s(server A1, server A2 & server A3) listed on SubjectAltName extention.
> The Current Version of IE 5 does the host name chk against the CN of
> Subject, If doesn't match then it does the same chk against the host
> name list of SubjectAltName; it doesn't throw any warning if the host
> name is present in the list and continue to work.
> And we feel this is the right way of handling the SSL Cert AltName
> Extension. We would like to have this functionality built-in because
> most of our community uses Netscape & Mozilla!!!
>
> I am not sure about the hostname check with OPERA browser. But i am sure
> its not throwing a SECURITY WARNING..
>
> thanks
> dhiva
I also need this functionality.
David Webb
VMS and Unix team leader
CCSS
Middlesex University
--- End Message ---
