Section 4.2 in 6962-bis says: When a precertificate contains that extension and contains a CN-ID [RFC6125], the CN-ID MUST match the first DNS-ID and have the same labels redacted. TLS clients will use the first entry in the SEQUENCE OF INTEGERs to reconstruct both the first DNS-ID and the CN- ID.
I'm aware of a problem (confirmed by Peter Bowen at Amazon) with Java7 and
Java8 where getting a new certificate with a different SAN ordering from the
previous one will prevent those Java clients from successfully validating
the new certificate, at least until the cache in the client expires the old
cert information. In most cases, we put the CN-ID in the first SAN field,
but there are exceptions made in cases like this.
I think the spec used to say that the first item in the SEQUENCE represented
the CN-ID, and I missed the discussion where that changed.
-Rick
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
