[certid] CN fallback
Ludwig Nussel <ludwig.nussel@suse.de> Tue, 23 March 2010 14:43 UTC
Return-Path: <ludwig.nussel@suse.de>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 60FB23A68C0 for <certid@core3.amsl.com>;
Tue, 23 Mar 2010 07:43:59 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -107.819
X-Spam-Level:
X-Spam-Status: No, score=-107.819 tagged_above=-999 required=5 tests=[AWL=1.300,
BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, HELO_EQ_DE=0.35, RCVD_IN_DNSWL_HI=-8,
USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id oMmzxdDpsvI0 for
<certid@core3.amsl.com>; Tue, 23 Mar 2010 07:43:58 -0700 (PDT)
Received: from mx1.suse.de (cantor.suse.de [195.135.220.2]) by core3.amsl.com
(Postfix) with ESMTP id C8A983A69E8 for <certid@ietf.org>;
Tue, 23 Mar 2010 07:43:51 -0700 (PDT)
Received: from relay2.suse.de (charybdis-ext.suse.de [195.135.221.2]) (using
TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate
requested) by mx1.suse.de (Postfix) with ESMTP id BD9256CB00 for
<certid@ietf.org>; Tue, 23 Mar 2010 15:44:09 +0100 (CET)
From: Ludwig Nussel <ludwig.nussel@suse.de>
To: certid@ietf.org
Date: Tue, 23 Mar 2010 15:44:05 +0100
User-Agent: KMail/1.12.4 (Linux/2.6.31.12-0.1-default; KDE/4.3.5; x86_64; ; )
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Message-Id: <201003231544.05651.ludwig.nussel@suse.de>
Subject: [certid] CN fallback
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 23 Mar 2010 14:43:59 -0000
Hi, | If and only if the identity set does not include subjectAltName | extensions of type dNSName, SRVName, uniformResourceIdentifier (or | other application-specific subjectAltName extensions), the client MAY | as a fallback check the value of the Common Name (CN) What about rewording that to the following? | If and only if the certificate does not include any subjectAltName | extensions, the client MAY as a fallback check the value of the | Common Name (CN) That would avoid having generic implementations look into the CN as fallback when it doesn't make sense. iPAddress for example isn't specified by the I-D (why anyways?). So a conforming implementation could use the CN when looking for a hostname even if a subjectAltName of type iPAddress is present. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
- [certid] CN fallback Ludwig Nussel
- Re: [certid] CN fallback Peter Saint-Andre
- Re: [certid] CN fallback Alexey Melnikov
- Re: [certid] CN fallback Scott Cantor
- Re: [certid] CN fallback Alexey Melnikov
- Re: [certid] CN fallback Scott Cantor
- Re: [certid] CN fallback RL 'Bob' Morgan
- Re: [certid] CN fallback Scott Cantor
- Re: [certid] CN fallback Ludwig Nussel
- [certid] open issue: iPAddress Peter Saint-Andre
- Re: [certid] CN fallback Michael Ströder
- Re: [certid] open issue: iPAddress Michael Ströder
- Re: [certid] CN fallback Michael Ströder