Martin Rex wrote: > > Matt McCutchen wrote: > > > > For some test results for implementation support for multiple CNs > > (possibly outdated by now), see: > > > > http://wiki.cacert.org/VhostTaskForce#Interoperability_Test > > Thanks for that link! > > I'm puzzled why the list shows IE. AFAIK, the hostname matching > is entirely performed inside of SChannel SSP > (Microsoft's TLS implementation), and that is a part of the operating > system since at least Windows 2000, and _not_ a part of the MSIE browser. > > And even today, the installed base of Windows XP outnumbers the > installed base of Windows Vista and Windows 7 combined, so talking > about particular versions of MSIE instead of specific combinations > of the Windows Operating System plus a particular version of > the MSIE browser is confusing/misleading.
Background info: http://msdn.microsoft.com/en-us/library/aa375924%28VS.85%29.aspx See description of function parameter pszTargetName in the API description of the SSPI call InitializeSecurityContext(SChannel). The pszTargetName input parameter is necessary to make client side session caching work, so it is likely always asserted by all versions of MSIE -- causing the SChannel SSP to perform the certificate verification against this name -- if the documentation is correct. However, MSIE could add additional checks on top of that, which I am not aware of. -Martin _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
