- From: Close, Tyler J. <tyler.close@hp.com>
- Date: Thu, 11 Oct 2007 21:01:03 -0000
- To: <public-wsc-wg@w3.org>
- Message-ID: <08CA2245AFCF444DB3AC415E47CC40AFFC8496@G3W0072.americas.hpqcorp.net>
Perhaps there's some way to finesse this part of the algorithm by reference to RFC 2818. I'll work on it. Many sites don't seem to be using this cert feature. For a fun example, visit the following URL using IE7. https://bankofamerica.com/ --Tyler ________________________________ From: Ian Fette [mailto:ifette@google.com] Sent: Thursday, October 11, 2007 12:48 PM To: Close, Tyler J. Cc: public-wsc-wg@w3.org Subject: Re: clarifications needed re safe form editor cert matching algorithm It is in huge use. For example. if you go to https://signin.ebay.com and look at the cert - the CN is signin.ebay.com but the certificate subject alt name lists: Not Critical DNS Name: signin.cafr.ebay.ca DNS Name: signin.ebay.ca DNS Name: signin.ebay.com.au DNS Name: signin.ebay.com.cn DNS Name: signin.express.ebay.com DNS Name: signin.half.ebay.com DNS Name: signin.liveauctions.ebay.com DNS Name: signin.shopping.ebay.com DNS Name: signin.tw.ebay.com DNS Name: signin.ebay.com and if you go to https://signin.ebay.de you again get a cert with CN= signin.ebay.com <http://signin.ebay.com> but alt names of: Not Critical DNS Name: signin.befr.ebay.be DNS Name: signin.benl.ebay.be DNS Name: signin.ebay.at DNS Name: signin.ebay.be DNS Name: signin.ebay.co.uk DNS Name: signin.ebay.de DNS Name: signin.ebay.es DNS Name: signin.ebay.fr DNS Name: signin.ebay.ie DNS Name: signin.ebay.nl DNS Name: signin.express.ebay.co.uk DNS Name: signin.ebay.com So yeah, it's important. On 10/11/07, Close, Tyler J. <tyler.close@hp.com> wrote: Thomas Roessler wrote: > going through the matching algorithm while folding it in... > > - The current language confuses attributes and fields. I suspect > that you mean the various attributes of the Subject certificate > field. Please confirm. The CN, O, L, ST and C values I refer to are the ones in the set referred to by the Subject field in the end entity certificate. Not sure how to be any more specific about this in PKIXese. > - I notice that you have some rules that concern matching the CN > attribute, but none concerning subjectAltName. I'm happy to > simply track this point as an issue. Could you point me to a document covering the semantics of subjectAltName? Is it in use in X.509 certs on the Web? > Also, I'll open an issue to track the "PKI orthodoxy" remarks that > Hal had made at the face-to-face, and will link to that issue from > the draft. Thanks, --Tyler
Received on Thursday, 11 October 2007 21:03:32 UTC