... this one:
https://ggus.eu/tech/ticket_show.php?ticket=89105
Despite being cc'ed on the ticket a week ago I haven't seen anything in
my inbox till this morning when Jon Perkin submitted another response.
Also, I can't edit it, but I have asked GGUS for permission.
* The UK CA _does_ issue certificates with subjectAltNames. Hosts have
DNS name in theirs, and people (and robots) have email addresses.
* When a client connects to a host (server), it should (will) check its
name for the server (ie the one it uses to open the connection) against
the subject alt name in the certificate.
Note there is no canonicalisation, so the name in the certificate and
the hostname can happily be aliases. In fact there is no consulting DNS
at all for the security check (unless the certificate is issued to an IP
address, but no one in the grid world does that.)
The CN is supposed to be consulted only if there is no S.A.N., and in
the case of Globusy things it will consult it anyway to check the
service name, if any - although I am not sure whether Globus is still
using this. Globus also had a non-standard wildcard scheme based on
hyphens.
I seriously doubt anyone in the (grid) world issues host certs without
DNS names in the S.A.N. We certainly don't. Hope that clears things up
a bit!
Thanks
--jens
--
Scanned by iCritical.
|