Hacker News new | ask | show | jobs
by cryptonector 245 days ago
No we're not. We're using dNSName subjectAlternativeName values. We used to use the CN attribute of the subject DN, and... there is still code for that, but it's obsolete.

We _are_ using subject DNs for linking certs to their issuers, but though that's "free-form", we don't parse them, we only check for equality.
1 comments
cyberax 245 days ago
CN is absolutely used everywhere. And it can contain wildcards. SANs are also free-form.
link
cryptonector 245 days ago
SANs are not free-form. A dNSName SAN is supposed to have an FQDN. An rfc822Name SAN is supposed to carry an email address. And, ok, sure, email addresses' mailbox part is basically free-form, but so what, you don't interpret that part unless you've accepted that certificate for that email address' domain part, and then you interpret the mailbox part the way a mail server would because you're probably the mail server. Yes, you can have directoryName SANs, but the whole point of SANs is that DNs suck because x.400/x.500 naming sucks so we want to use something that isn't that.
link
cyberax 245 days ago
> to have an FQDN

With wildcards.

link
cryptonector 244 days ago
Ah yes, you're right. That is a horrible bodge.
link