Re: Comments on draft-ietf-secsh-x509-00

To: ietf-ssh%netbsd.org@localhost
Subject: Re: Comments on draft-ietf-secsh-x509-00
From: Tomi Salo <ttsalo%ssh.com@localhost>
Date: Tue, 29 Mar 2005 15:42:30 +0300

Joseph Galbraith writes:
 > Henrick Hellström wrote:
 > > a) On one hand the URI and version string of the server, and on the
 > > other hand the subject and/or subjectAltName of the server certificate
 > 
 > So what you are saying is that the draft ought to include text along
 > the lines of:
 > 
 > When the certificate is used as a hostkey, either the subject name
 > or the subjectaltname SHOULD match the canonical name of the server.
 > (Are their multiple names in the subject name or subject alt name;
 > I don't recall?)

 There is only one subject name, but the number of alternative names
 is unlimited. 

 RFC 2818 (HTTP Over TLS) describes a procedure of comparing a 
 hostname against a X.509 cerficate received from a server. 
 (Section 3, Endpoint Identification). 

 In short: "If a subjectAltName extension of type dNSName is present,
 that MUST be used as the identity. Otherwise, the (most specific)
 Common Name field in the Subject field of the certificate MUST be
 used." Additionally a subjectAltName of type iPAddress may be
 allowed to match the server's IP address. 

-- 
Tomi T. Salo <ttsalo%ssh.com@localhost>

Follow-Ups:
- Re: Comments on draft-ietf-secsh-x509-00
  - From: Joseph Galbraith

References:
- Comments on draft-ietf-secsh-x509-00
  - From: Bill Sommerfeld
- Re: Comments on draft-ietf-secsh-x509-00
  - From: Henrick Hellström
- Re: Comments on draft-ietf-secsh-x509-00
  - From: Joseph Galbraith

Prev by Date: Re: filexfer-07
Next by Date: Re: Comments on draft-ietf-secsh-x509-00
Previous by Thread: Re: Comments on draft-ietf-secsh-x509-00
Next by Thread: Re: Comments on draft-ietf-secsh-x509-00
Indexes:

Home | Main Index | Thread Index | Old Index