Victor Duchovni wrote: > On Fri, Apr 21, 2006 at 12:24:10PM -0400, Victor Duchovni wrote: >> in X.500 DNs as candidate DNS names is a transitional hack. When DNS >> names are present in the SubjectAlternativeName extension, these (with RFC >> blessing) are taken to represent *ALL* the valid DNS names of the subject. > > Here we go: RFC 2818 section 3.1: > > If a subjectAltName extension of type dNSName is present, that MUST > be used as the identity. Otherwise, the (most specific) Common Name > field in the Subject field of the certificate MUST be used. Although > the use of the Common Name is existing practice, it is deprecated and > Certification Authorities are encouraged to use the dNSName instead.
I don't think the RFC wording is totally clear, although I lean on your interpretation a little bit. I have based my code on "Network Security with OpenSSL" book samples, which first check dNSName but happily continue to check commonName if no match was found in dNSName. Perhaps an errata to the book would be in order? See page 136 (June 2002 First Edition). -- Heikki Toivonen
signature.asc
Description: OpenPGP digital signature
