On Fri, Apr 21, 2006 at 12:24:10PM -0400, Victor Duchovni wrote:
> The subject name in the certificate is an X.500 DN. What Internet
> applications that want to authenticate a connection to a given host are
> trying to verify is a DNS name. The convention for overloading CommonName
> in X.500 DNs as candidate DNS names is a transitional hack. When DNS
> names are present in the SubjectAlternativeName extension, these (with RFC
> blessing) are taken to represent *ALL* the valid DNS names of the subject.
>
> I don't have an RFC reference for such an interpretation. Anyone have
> a handy reference?
Here we go: RFC 2818 section 3.1:
If a subjectAltName extension of type dNSName is present, that MUST
be used as the identity. Otherwise, the (most specific) Common Name
field in the Subject field of the certificate MUST be used. Although
the use of the Common Name is existing practice, it is deprecated and
Certification Authorities are encouraged to use the dNSName instead.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
