Maybe It's Snake Oil All the Way Down
Derek Atkins
derek at ihtfp.com
Thu Jun 5 17:54:21 PDT 2003
Eric Rescorla <ekr at rtfm.com> writes:
> This isn't really true in the SSL case:
> To a first order, everyone ignores any extensions (except sometimes
> the constraints) and uses the CN for the DNS name of the server.
Except some CAs make certs that can only work as an SSL server and not
an SSL client, or don't work with certain verifiers, or can't be
parsed right, or have the "commit-bit" set on some extensions. It's
been a major pain in a problem that I'm working on -- not all vendor's
certs work properly.
> -Ekr
-derek
--
Derek Atkins
Computer and Internet Security Consultant
derek at ihtfp.com www.ihtfp.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cypherpunks-legacy
mailing list