On Fri, Apr 21, 2006 at 11:42:34AM -0400, Richard Salz wrote:
> > Wow a 512 bit key! Really unwise.
>
> Ture.
>
> > You did not mention the
> >
> > X509v3 Subject Alternative Name:
> > DNS:helpdesk.cis.uab.edu
> >
> > When this is present the CN is ignored.
>
>
> Really? That seems like a bug. There's a reason why it's called
> subjectAlternativeName, and not subjectPreferredName. Nevertheless, as you
> say, putting both names is a reasonable work-around.
>
The usual interpretation seems to be not an alternative in the sense
of "one more of the same", but rather "one more and possibly better
*representation* of the same".
The subject name in the certificate is an X.500 DN. What Internet
applications that want to authenticate a connection to a given host are
trying to verify is a DNS name. The convention for overloading CommonName
in X.500 DNs as candidate DNS names is a transitional hack. When DNS
names are present in the SubjectAlternativeName extension, these (with RFC
blessing) are taken to represent *ALL* the valid DNS names of the subject.
I don't have an RFC reference for such an interpretation. Anyone have
a handy reference?
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
