On Fri, Nov 20, 2015 at 9:56 AM, Salz, Rich <[email protected]> wrote: > I would say that subjectAltName is ubiquitous, and CA's are reluctant to stop > using CN because it might break someone, somewhere.
Pre-caffeine, I couldn't think of the attribute for holding CNAMEs, thank you. Path validation, I think requires both, but if a CNAME shows up in subjectAltName, and everything else checks out, you are good to go. I think (pretty sure) validation requires a check first for CN though, then it goes through the alternate names. RFC5280 hasn't changed or is there an update I missed that changes proper path validation? I would guess things would break without CN values included. Anyway, I think we are good on this one now. Thanks, Kathleen > > At least in my experience at work and on OpenSSL. > -- Best regards, Kathleen _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
