On Fri, Aug 30, 2002 at 12:40:11AM +0200, Henrique de Moraes Holschuh wrote: > > Right now, every TLS-enabled package tries to screw it up in new and > never-before-tried ways.
One commonly missing feature is that the certificate should contain a subjectAltName extension of type dNSName containing the hostname of the machine (or, at least, put the hostname in the Common Name). See RFC2818 and RFC2595. Should a "recommended contents for X.509 certificates for TLS" be added to Debian Policy? On a similar subject, there seem to be more than a few applications that have had "SSL/TLS support" added, but don't do any hostname checking against the certificate - leaving you open to man-in-the-middle attacks. Andrew -- Andrew McDonald E-mail: [EMAIL PROTECTED] http://www.mcdonald.org.uk/andrew/
