Ilari Liusvaara <ilariliusva...@welho.com> writes:
>1) CN-IDs have long been deprecated.
Right, but everyone uses the CN for the primary ID anyway, that's pretty much
the universal usage for it. Deprecating this universal usage is an example of
what someone on the PKIX list once called "workgroup posturing" (it wasn't me,
even if it sounds like the sort of thing I'd say :-).
>Thus, certificate with only SAN '*.example.net' can not match
>'foo.bar.example.net'. Yet, tracing the code in appendix, it appears that the
>code considers this to match.
The pseudocode and long-form descriptions don't match up in a number of
locations. In fact the 2459 pseudocode, the 3280 pseudocode, and the text all
disagree with each other (I haven't checked whether it's changed again in
5280), so depending on which you use as your reference you can get different
results for path validation. Or think of it as a great deal of flexibility in
what you can call a compliant implementation.
I've always taken the text as being definitive. Or at least I produced my own
pseudocode, leading to the inevitable reference to https://xkcd.com/927.
Uta mailing list