Re: Wildcard: how are they correct?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Actually, for public CAs, the current standard (the CAB/F
Basic Requirements) require (a), (b) or (c), and prohibit
(d).

The prohibition on (d) is stated indirectly as a prohibition
against putting something that isn't the subjects validated
public DNS name in CN.

In practice, most public CAs use (a) for maximum backward
compatibility.

It should also be noted that it is a lot less than 20 years
since the popular GNU wget utility started looking at
subjectAltName.  Lesser known tools may have been even slower
to implement it.

On 10/10/2018 08:54, Kyle Hamilton wrote:
If subjectAltName exists, CN= is not evaluated.  All the given
examples should work.  (The only exceptions are validators that
haven't been current for more than 20 years.)  None of the examples is
correct.  CN= should not even be included in the certificate.  If it
is, (d) is the closest to correct, if "hello world" is replaced by
something meaningful to the identification or naming of the subject.

-Kyle H
On Tue, Oct 9, 2018 at 11:18 PM Walter H. <walter.h@xxxxxxxxxxxxxxxxx> wrote:
Hello,

which of these possibilities is the correct one?

(a)  CN=*.example.com
      and subjectAltName = DNS:*.example.com, DNS:example.com

(b)  CN=example.com
      and subjectAltName = DNS:example.com, DNS:*.example.com

(c)  CN=example.com
      and subjectAltName = DNS:*.example.com, DNS:example.com

(d)  CN=hello world
      and subjectAltName = DNS:example.com, DNS:*.example.com

Thanks,
Walter

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


Enjoy

Jakob
--
Jakob Bohm, CIO, Partner, WiseMo A/S.  https://www.wisemo.com
Transformervej 29, 2860 Søborg, Denmark.  Direct +45 31 13 16 10
This public discussion message is non-binding and may contain errors.
WiseMo - Remote Service Management for PCs, Phones and Embedded

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux