Re: [certid] Comments on draft-saintandre-tls-server-id-check-04

[Nelson B Bolyard <nelson@bolyard.me>]

On 2010-06-04 02:35 PDT, Peter Sylvester wrote:
>> The phrease "the (most specific) Common Name field in the subject field"
>> is not plural.  There is at most one Common Name attribute in the name
>> that is *the* most specific one.  The words "most specific" refer to its
>> position in the list of RDNs, which are arranged (as encoded in the
>> certificate Name field) from most general (first) to most specific
>> (last).  So, the most specific Common Name is the last of the Common
>> Name attributes in the sequence of RDNs, as encoded in the certificate.
>>    
> You can have two AVAs of the same type in the on RDN, i.e.
> two common names in the same RDN. There the interpretation
> of most-significant is not clear.

Agreed, in principle.  In practice, I've never seen a certificate produced
by a real CA with multiple AVAs in a single RDN.  I've seen them in certs
produced by test scripts, and by people playing with OpenSSL.  :)

> There term of 2818 itself is wrong, there is no such thing
> a 'Common Name field'.

Agreed, whole heartedly.  Still, we know what they meant.  But I'm glad this
mistake is not repeated in your draft.

> If one puts no more than one AVA of type CN into an
> RDN, and only one of such RDN, the result is ok.

I agree with the first part of that.  Don't see why the second restriction
is necessary for the result to be OK.

> The "(most specific)" is a kind of hint not to put more
> than one unless you want to attack like a \0 :-)

Yes, an attach to which software that ignores the "most specific"
requirement will be vulnerable.

> /P
> 
> PS: I "like" the *.ietf.org cert use by the server  'ietf.org'  :-)