On Wed, May 12, 2010 at 03:58:23PM -0700, Love Hörnquist Åstrand wrote: > > 12 maj 2010 kl. 15:37 skrev Peter Saint-Andre: > > >> So I'm not sure right now what to say about that. I suspect we can still > >> stipulate that the only RDN having attr type of CN that we'll pay > >> attention to is the one at the far end of the RDN sequence comprising > >> the DN. > > > > We can stipulate that, but is it realistic? > > Yes, since that's what RFC 2818 said.
RFC 2818 says that you use the most specific CN RDN. Not the most specific RDN, iff it is a CN. That is completely different. The stats I ran said that maybe 10/20% of existing certs place the CN somewhere other than the most specific field. Who out there is going to change their software to implement a CN matching algorithm which breaks interop with 10/20% of SSL servers? Regards, Joe _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
