IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Comments on draft-ietf-secsh-x509-00



Joseph Galbraith writes:
 > Henrick Hellström wrote:
 > > a) On one hand the URI and version string of the server, and on the
 > > other hand the subject and/or subjectAltName of the server certificate
 > 
 > So what you are saying is that the draft ought to include text along
 > the lines of:
 > 
 > When the certificate is used as a hostkey, either the subject name
 > or the subjectaltname SHOULD match the canonical name of the server.
 > (Are their multiple names in the subject name or subject alt name;
 > I don't recall?)

 There is only one subject name, but the number of alternative names
 is unlimited. 

 RFC 2818 (HTTP Over TLS) describes a procedure of comparing a 
 hostname against a X.509 cerficate received from a server. 
 (Section 3, Endpoint Identification). 
 
 In short: "If a subjectAltName extension of type dNSName is present,
 that MUST be used as the identity. Otherwise, the (most specific)
 Common Name field in the Subject field of the certificate MUST be
 used." Additionally a subjectAltName of type iPAddress may be
 allowed to match the server's IP address. 

-- 
Tomi T. Salo <ttsalo%ssh.com@localhost>



Home | Main Index | Thread Index | Old Index