I haven't yet seen discussion of one interesting aspect of this issue from the viewpoint of the TLS specification.
The TLS specification says (in RFC 2818) that the client must first compare all subjectAltName extensions with type dNSName to the intended server's identity. That can include wildcarded values. Then the client must check the most specific commonName field. The RFC goes on to say that while use of commonName to hold a server's identity is existing practice, it is deprecated. OpenSSL does it right, BTW. Vic Abell <[EMAIL PROTECTED]> ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
