Changes between and of Initial VersionVersion 1Ticket #5190


Ignore:
Timestamp:
07/08/2011 02:05:08 PM (9 years ago)
Author:
Glyph
Comment:

Legend:

Unmodified
Added
Removed
Modified
  • Ticket #5190 – Description

    initial v1  
    1 You know how when an SSL certificate has a subject, and the subject has some fields, and a user or admin somewhere typed something in order to access that domain name, and they're supposed to mac?  Since march, there's actually [http://www.rfc-editor.org/rfc/rfc6125.txt a specification that covers the expected behavior for that check], even in the face of weirdnesses like SRV record indirection, SNI, CNAMEs, and URIs which might not match hostnames exactly for some reason.
     1You know how when an x509 certificate used in TLS has a subject, and the subject has some fields, and a user or admin somewhere typed something in order to access that domain name, and they're supposed to match?  Since March of this year (2011), there's actually [http://www.rfc-editor.org/rfc/rfc6125.txt a specification that covers the expected behavior for that check], even in the face of weirdnesses like SRV record indirection, SNI, CNAMEs, and URIs which might not match hostnames exactly for some reason.
    22
    33We should implement that spec.  This would probably have to go into a smarter TLS endpoint, or endpoint wrapper, but at this point I think exactly where it would go is open to discussion, as I'm not an expert on the spec yet.