[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: RFC: Handling of certificates in Debian

On Fri, Aug 30, 2002 at 12:40:11AM +0200,
Henrique de Moraes Holschuh wrote:
> Right now, every TLS-enabled package tries to screw it up in new and
> never-before-tried ways.

One commonly missing feature is that the certificate should contain a
subjectAltName extension of type dNSName containing the hostname of the
machine (or, at least, put the hostname in the Common Name). See
RFC2818 and RFC2595.

Should a "recommended contents for X.509 certificates for TLS" be added
to Debian Policy?

On a similar subject, there seem to be more than a few applications
that have had "SSL/TLS support" added, but don't do any hostname
checking against the certificate - leaving you open to
man-in-the-middle attacks.

Andrew McDonald
E-mail: andrew@mcdonald.org.uk

Reply to: