Ilari Liusvaara <ilariliusva...@welho.com> writes: >1) CN-IDs have long been deprecated.
Right, but everyone uses the CN for the primary ID anyway, that's pretty much the universal usage for it. Deprecating this universal usage is an example of what someone on the PKIX list once called "workgroup posturing" (it wasn't me, even if it sounds like the sort of thing I'd say :-). >Thus, certificate with only SAN '*.example.net' can not match >'foo.bar.example.net'. Yet, tracing the code in appendix, it appears that the >code considers this to match. The pseudocode and long-form descriptions don't match up in a number of locations. In fact the 2459 pseudocode, the 3280 pseudocode, and the text all disagree with each other (I haven't checked whether it's changed again in 5280), so depending on which you use as your reference you can get different results for path validation. Or think of it as a great deal of flexibility in what you can call a compliant implementation. I've always taken the text as being definitive. Or at least I produced my own pseudocode, leading to the inevitable reference to https://xkcd.com/927. Peter. _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta