Eric Rescorla <ekr@rtfm.com> writes:
This isn't really true in the SSL case: To a first order, everyone ignores any extensions (except sometimes the constraints) and uses the CN for the DNS name of the server.
Except some CAs make certs that can only work as an SSL server and not an SSL client, or don't work with certain verifiers, or can't be parsed right, or have the "commit-bit" set on some extensions. It's been a major pain in a problem that I'm working on -- not all vendor's certs work properly.
-Ekr
-derek -- Derek Atkins Computer and Internet Security Consultant derek@ihtfp.com www.ihtfp.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com