[gnutls-devel] GnuTLS | Should a certificate with two SAN instances be rejected? (#872)
Development of GNU's TLS library
gnutls-devel at lists.gnutls.org
Sat Dec 14 10:53:28 CET 2019
julia commented:
In RFC 5280, I found the next statements, and wondered how a subject
public key and two subjectAltName extensions should be bound.
Which parts of the two extensions are verified (if the verification is still
performed)?
1. "Certification path processing verifies the binding between the
subject distinguished name and/or subject alternative name and subject
public key." (Section 6).
2. "If subject naming information is present only in the subjectAltName
extension (e.g., a key bound only to an email address or URI), then the subject
name MUST be an empty sequence and the subjectAltName extension MUST
be critical." (Section 4.1.2.6)
3. "A certificate MUST NOT include more than one instance of a particular
extension." (4.2)
4. "Because the subject alternative name is considered to be definitively
bound to the public key, all parts of the subject alternative name
MUST be verified by the CA." (4.2.1.6)
--
Reply to this email directly or view it on GitLab: https://gitlab.com/gnutls/gnutls/issues/872#note_260338436
You're receiving this email because of your account on gitlab.com.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.gnupg.org/pipermail/gnutls-devel/attachments/20191214/54a5b8ea/attachment.html>
More information about the Gnutls-devel
mailing list