On Fri, Sep 12, 2014 at 4:20 PM, Heikki Linnakangas <hlinnakan...@vmware.com> wrote:
>> Hmm. If that's what the browsers do, I think we should also err on the >> side of caution here. Ignoring the CN is highly unlikely to cause anyone >> a problem; a CA worth its salt should not issue a certificate with a CN >> that's not also listed in the SAN section. But if you have such a >> certificate anyway for some reason, it shouldn't be too difficult to get >> a new certificate. Certificates expire every 1-3 years anyway, so there >> must be a procedure to renew them anyway. > > > Committed, with that change, ie. the CN is not checked if SANs are present. > > Thanks for bearing through all these iterations! Great news! Thank you very much for devoting your time and energy to the review and providing such a useful feedback! On the CN thing, I don't have particularly strong arguments for either of the possible behaviors, so sticking to RFC makes sense here Sincerely, -- Alexey Klyukin -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers