Hi Peter,
Peter Saint-Andre wrote:
On 3/23/10 8:44 AM, Ludwig Nussel wrote:
Hi,
| If and only if the identity set does not include subjectAltName
| extensions of type dNSName, SRVName, uniformResourceIdentifier (or
| other application-specific subjectAltName extensions), the client MAY
| as a fallback check the value of the Common Name (CN)
What about rewording that to the following?
| If and only if the certificate does not include any subjectAltName
| extensions, the client MAY as a fallback check the value of the
| Common Name (CN)
I don't see a strong reason to change that text. This specification is
about checking domain names, not IP addresses.
As an aside, I must say that I'm tempted to move everything about CNs to
a separate section,
That would be Ok with me.
or to remove it entirely, because I don't think it's
a best current practice for secure authentication.
Personally, I don't think removing it is going to be a service to the
community, because this is the current practice, even if it is not the
best one.
_______________________________________________
certid mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/certid
