On Saturday 14 May 2005 19:50, Nelson B wrote: > Ian G wrote: > > Remember that a cert now contains a LIST of valid domain names. > So, if the browser were to display names from the list, which name or > names would it display? > > > That would mean that the status bar is simply another > > confirmation of the original host. > > Yes, it confirms that the name you entered is one of the valid names > given in the cert.
So, if there is a match, then there is a single name that can be displayed. The question then is what would be displayed in the status bar if there was no match for any reason? What's the principle here - show only the cert info OR interpolate where necessary? (This question duplicates my earlier post.) > BTW, when a cert contains a list of "subject alt names" (SAN), that list > is definitive; that is, the value of the subject name's CN= field is NOT > to be considered when SubjectAltNames are present. Thus, the list of > valid DNSnames is NOT the union of the names in the SAN plus the name > in the subject's CN=, but rather is just the list in the SAN. So, any > name that is listed in the CN= must also be listed in the SAN. Given your other welcome reminder, does IE implement the SAN list and the priority order you describe? If so, then CACert could be encourage to show some instructions on how to create these certs. If not, then as average users, we would not really want to create them if IE doesn't do it. iang -- http://iang.org/ _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
