Certificate with multiple CN fields - valid?

[John Nagle]

   Normally, when a certificate is to be valid for more than one
domain name, one name is in the CN field, and the others are in
the subjectAltName extension.

   But look at the cert for https://www.ipmirror.com/;.  It has

CN = admincms.ipmirror.com
CN = business.ipmirror.cn
CN = business.ipmirror.com
CN = business.ipmirror.de
CN = business.ipmirror.jp
CN = business.ipmirror.kr
CN = chat.ipmirror.com
CN = customer.ipmirror.cn
CN = customer.ipmirror.com
CN = customer.ipmirror.de
CN = customer.ipmirror.jp
CN = customer.ipmirror.kr
CN = demo-business.ipmirror.com
CN = demo-customer.ipmirror.com
CN = imap.ipmirror.com
CN = netrunner.ipmirror.com
CN = ote-business.ipmirror.com
CN = ote-customer.ipmirror.com
CN = ote-rapi.ipmirror.com
CN = ote-registryconsole.ipmirror.com
CN = rapi.ipmirror.com
CN = rapiote.ipmirror.com
CN = rcube.ipmirror.com
CN = register.ipmirror.de
CN = registryconsole.ipmirror.com
CN = telhosting.ipmirror.com
CN = www.ipmirror.com

This was issued by

CN = PositiveSSL CA
O = Comodo CA Limited
L = Salford
ST = Greater Manchester
C = GB

Validity dates are
(1/6/2010 0:00:00 AM GMT) to (7/10/2010 23:59:59 PM GMT)
so it's a currently live cert from a major CA.  The
cert chain validates properly.

Is this considered valid?

John Nagle
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   majord...@openssl.org

Wildcard certs vs. base name

[John Nagle]

Question: Is a certificate for *.example.com considered valid for 
example.com?

OpenSSL seems to say no, but Firefox 2 says yes.  Try
https://stanford.edu; for a test.

RFC 2459 doesn't discuss wildcards.  I haven't paid
73 CHF to access the X.509 standard at 
http://www.itu.int/rec/T-REC-X.509-200508-I/en;.


John Nagle
SiteTruth
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]