On 20 July 2016 at 08:58, Florian Schmaus <f...@geekplace.eu> wrote: > For the near future, I hope that certificates using only srvNames will > become more common. But if you want to stay super "compatible" with all > sorts of XMPP software out there, then you probably want to put your > XMPP domain in the CN too. Which comes with the drawback that the cert > can be used for all services under that domain. >
Only for legacy apps. If a SAN exists, CNs should be ignored. If a service-specific SAN exists, non-service-specific SANs should be ignored, though that's even rarer. Maybe we should have another interop day to figure out how observed these rules are? Dave.