Re: clarifications needed re safe form editor cert matching algorithm

It is in huge use. For example. if you go to https://signin.ebay.com and
look at the cert - the CN is signin.ebay.com but the certificate subject alt
name lists:

Not Critical
DNS Name: signin.cafr.ebay.ca
DNS Name: signin.ebay.ca
DNS Name: signin.ebay.com.au
DNS Name: signin.ebay.com.cn
DNS Name: signin.express.ebay.com
DNS Name: signin.half.ebay.com
DNS Name: signin.liveauctions.ebay.com
DNS Name: signin.shopping.ebay.com
DNS Name: signin.tw.ebay.com
DNS Name: signin.ebay.com

and if you go to https://signin.ebay.de you again get a cert with CN=
signin.ebay.com but alt names of:
Not Critical
DNS Name: signin.befr.ebay.be
DNS Name: signin.benl.ebay.be
DNS Name: signin.ebay.at
DNS Name: signin.ebay.be
DNS Name: signin.ebay.co.uk
DNS Name: signin.ebay.de
DNS Name: signin.ebay.es
DNS Name: signin.ebay.fr
DNS Name: signin.ebay.ie
DNS Name: signin.ebay.nl
DNS Name: signin.express.ebay.co.uk
DNS Name: signin.ebay.com


So yeah, it's important.
On 10/11/07, Close, Tyler J. <tyler.close@hp.com> wrote:
>
>
>
>
> Thomas Roessler wrote:
> > going through the matching algorithm while folding it in...
> >
> > - The current language confuses attributes and fields.  I suspect
> >   that you mean the various attributes of the Subject certificate
> >   field.  Please confirm.
>
> The CN, O, L, ST and C values I refer to are the ones in the set
> referred to by the Subject field in the end entity certificate. Not sure
> how to be any more specific about this in PKIXese.
>
> > - I notice that you have some rules that concern matching the CN
> >   attribute, but none concerning subjectAltName.  I'm happy to
> >   simply track this point as an issue.
>
> Could you point me to a document covering the semantics of
> subjectAltName? Is it in use in X.509 certs on the Web?
>
> > Also, I'll open an issue to track the "PKI orthodoxy" remarks that
> > Hal had made at the face-to-face, and will link to that issue from
> > the draft.
>
> Thanks,
> --Tyler
>
>