Ian G wrote (quoting me):
BTW, when a cert contains a list of "subject alt names" (SAN), that list is definitive; that is, the value of the subject name's CN= field is NOT to be considered when SubjectAltNames are present. Thus, the list of valid DNSnames is NOT the union of the names in the SAN plus the name in the subject's CN=, but rather is just the list in the SAN. So, any name that is listed in the CN= must also be listed in the SAN.
Given your other welcome reminder, does IE implement the SAN list and the priority order you describe?
If so, then CACert could be encourage to show some instructions on how to create these certs.
IE implements SANs. I have received reports that IE will treat a CN= name (if present) as if it was just another one of the names in the SAN list.
If not, then as average users, we would not really want to create them if IE doesn't do it.
A person who wishes to have a cert that works with IE and with RFC compliant clients should do as I described above, and put the FULL list of hostnames in the SAN, and then (if desired) duplicate one of them in the CN= part of the subject name. That approach will work with IE and with RFC compliant clients.
-- Nelson B _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
