Ian G wrote:
(Quoting Gervase)
- Certs often contain wildcards, which cannot easily be understood by end users. (What does "mecha|rheet.mozilla.org" mean?) We needed to display a single hostname in that space at all times.
Modern certs contain "Subject alternative Names", which is a list of names that are all valid for the cert. The old CN=dnsname trick in the cert's subject name is now deprecated. The correct way for certs to list the valid DNSnames they represent is to list all those names as "subject alt names". There can be many subject alt names. SubjectAltNames can also include email addresses, so a single cert can be valid for multiple web sites and for multiple email users. (Whether that's a good thing or not is another subject I don't wish to explore at the moment.)
I see! Tough one. Question of clarification - are you saying that the status bar always displays the target host name rarther than the domain field out of the cert?
Remember that a cert now contains a LIST of valid domain names. So, if the browser were to display names from the list, which name or names would it display?
That would mean that the status bar is simply another confirmation of the original host.
Yes, it confirms that the name you entered is one of the valid names given in the cert.
BTW, when a cert contains a list of "subject alt names" (SAN), that list is definitive; that is, the value of the subject name's CN= field is NOT to be considered when SubjectAltNames are present. Thus, the list of valid DNSnames is NOT the union of the names in the SAN plus the name in the subject's CN=, but rather is just the list in the SAN. So, any name that is listed in the CN= must also be listed in the SAN.
-- Nelson B _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
