Kaspar Brand wrote: > [1] Re-reading section 3.1 in RFC 2818 can actually confirm this > hypothesis, under the following interpretation: "the (most specific) > Common Name field in the Subject field of the certificate MUST be used" > can be understood to mean the domain name which has the highest number > of DNS labels: if the subject has CN=foo.example.net and CN=example.net, > then the first one must be used for the identity check (it's more > specific than CN=example.net), irrespective of its position in the DER > encoded subject, actually.
That interpretation at least doesn't require knowledge about certificate encoding subtleties. It's ambiguous though. You could have several CN with an equal number of dots after all. Just think of this one: http://www.mail-archive.com/[email protected]/msg61198.html cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg) _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
