Re: Distribution of Authentication Certificates

[Bernd Eckenfels <lists@lina.inka.de>]

On Thu, Mar 27, 2003 at 03:02:05PM +0100, Julian Mehnle wrote:
> > mozilla has some code to allow matching multiple hosts with the cn
> > (you can list them, and I think something like *.foo.bar is also
> > possible). Dunno if that is standardised somewhere.
> 
> Netscape 4- uses the following scheme:
> 
> http://wp.netscape.com/eng/security/ssl_2.0_certificate.html#Site
> (See "Subject Common Name" a bit further down)

The real problem is not the CN, but the certificate which the server
present. There is no way (other than having multiple ip addresses) for a
server to know which hostname was requested before the SSL handshake is
ended. This means, if you have domain1.com and domain2.com on a single name
based virtual server, you cant ship a certificate for the requested domain.

*.com or  {domain1,domain2}.com

are of course not a real solution. Personally I think it is good that IE
does not allow such a complicated pattern matching, and most CAs wont
vertify wildcard certificates, also.

Greetings
Bernd
-- 
  (OO)      -- Bernd_Eckenfels@Wendelinusstrasse39.76646Bruchsal.de --
 ( .. )  ecki@{inka.de,linux.de,debian.org} http://home.pages.de/~eckes/
  o--o     *plush*  2048/93600EFD  eckes@irc  +497257930613  BE5-RIPE
(O____O)  When cryptography is outlawed, bayl bhgynjf jvyy unir cevinpl!