- From: Ian Fette <ifette@google.com>
- Date: Thu, 11 Oct 2007 14:08:19 -0700
- To: "Close, Tyler J." <tyler.close@hp.com>
- Cc: public-wsc-wg@w3.org
- Message-ID: <bbeaa26f0710111408i5d7fe11cra33ed00067b2cdf@mail.gmail.com>
bankofamerica.com does not use an alt-name. What's the point? (And for those of us who aren't using IE7, I'm assuming you just get a common name mismatch error, or what?) if eBay uses it, then I think you need to be worried about breaking it. On 10/11/07, Close, Tyler J. <tyler.close@hp.com> wrote: > > Perhaps there's some way to finesse this part of the algorithm by > reference to RFC 2818. I'll work on it. > > Many sites don't seem to be using this cert feature. For a fun example, > visit the following URL using IE7. > > https://bankofamerica.com/ > > --Tyler > > ------------------------------ > *From:* Ian Fette [mailto:ifette@google.com] > *Sent:* Thursday, October 11, 2007 12:48 PM > *To:* Close, Tyler J. > *Cc:* public-wsc-wg@w3.org > *Subject:* Re: clarifications needed re safe form editor cert matching > algorithm > > It is in huge use. For example. if you go to https://signin.ebay.com and > look at the cert - the CN is signin.ebay.com but the certificate subject > alt name lists: > > Not Critical > DNS Name: signin.cafr.ebay.ca > DNS Name: signin.ebay.ca > DNS Name: signin.ebay.com.au > DNS Name: signin.ebay.com.cn > DNS Name: signin.express.ebay.com > DNS Name: signin.half.ebay.com > DNS Name: signin.liveauctions.ebay.com > DNS Name: signin.shopping.ebay.com > DNS Name: signin.tw.ebay.com > DNS Name: signin.ebay.com > > and if you go to https://signin.ebay.de you again get a cert with CN=signin.ebay.combut alt names of: > Not Critical > DNS Name: signin.befr.ebay.be > DNS Name: signin.benl.ebay.be > DNS Name: signin.ebay.at > DNS Name: signin.ebay.be > DNS Name: signin.ebay.co.uk > DNS Name: signin.ebay.de > DNS Name: signin.ebay.es > DNS Name: signin.ebay.fr > DNS Name: signin.ebay.ie > DNS Name: signin.ebay.nl > DNS Name: signin.express.ebay.co.uk > DNS Name: signin.ebay.com > > > So yeah, it's important. > On 10/11/07, Close, Tyler J. <tyler.close@hp.com> wrote: > > > > > > > > > > Thomas Roessler wrote: > > > going through the matching algorithm while folding it in... > > > > > > - The current language confuses attributes and fields. I suspect > > > that you mean the various attributes of the Subject certificate > > > field. Please confirm. > > > > The CN, O, L, ST and C values I refer to are the ones in the set > > referred to by the Subject field in the end entity certificate. Not sure > > how to be any more specific about this in PKIXese. > > > > > - I notice that you have some rules that concern matching the CN > > > attribute, but none concerning subjectAltName. I'm happy to > > > simply track this point as an issue. > > > > Could you point me to a document covering the semantics of > > subjectAltName? Is it in use in X.509 certs on the Web? > > > > > Also, I'll open an issue to track the "PKI orthodoxy" remarks that > > > Hal had made at the face-to-face, and will link to that issue from > > > the draft. > > > > Thanks, > > --Tyler > > > > >
Received on Thursday, 11 October 2007 21:08:44 UTC