>>On May 31, 2016, at 9:54 AM, Blumenthal, Uri - 0553 - MITLL >><u...@ll.mit.edu> wrote: >> >>> As one example, mozilla::pkix treats the CN as a dNSName/iPAddress iif >>>there is no subjectAltName extension and iif the CN is a valid >>>dNSNa/iPAddress syntactically. >> >> That approach seems wrong. > >Could you explain your point in more detail than putting "wrong" >in bold text? Though ad-hoc, it seems about the best one can do, >absent additional information.
IMHO allowing CN to be interpreted as a DNS name would open a new attack surface by making more name collisions (between people and host names) possible.
smime.p7s
Description: S/MIME cryptographic signature
-- openssl-dev mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
