Re: RFC: Handling of certificates in Debian
On Fri, Aug 30, 2002 at 12:40:11AM +0200,
Henrique de Moraes Holschuh wrote:
>
> Right now, every TLS-enabled package tries to screw it up in new and
> never-before-tried ways.
One commonly missing feature is that the certificate should contain a
subjectAltName extension of type dNSName containing the hostname of the
machine (or, at least, put the hostname in the Common Name). See
RFC2818 and RFC2595.
Should a "recommended contents for X.509 certificates for TLS" be added
to Debian Policy?
On a similar subject, there seem to be more than a few applications
that have had "SSL/TLS support" added, but don't do any hostname
checking against the certificate - leaving you open to
man-in-the-middle attacks.
Andrew
--
Andrew McDonald
E-mail: andrew@mcdonald.org.uk
http://www.mcdonald.org.uk/andrew/
Reply to: