[13480] in cryptography@c2.net mail archive
Re: Maybe It's Snake Oil All the Way Down
daemon@ATHENA.MIT.EDU (Derek Atkins)
Fri Jun 6 15:03:30 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: EKR <ekr@rtfm.com>
Cc: Eric Murray <ericm@lne.com>,
Peter Gutmann <pgut001@cs.auckland.ac.nz>, jamesd@echeque.com,
bill.stewart@pobox.com, cryptography@metzdowd.com,
cypherpunks@lne.com, rsalz@datapower.com, sguthery@mobile-mind.com
From: Derek Atkins <derek@ihtfp.com>
Date: 05 Jun 2003 20:54:21 -0400
In-Reply-To: <kjr868m39t.fsf@romeo.rtfm.com>
Eric Rescorla <ekr@rtfm.com> writes:
> This isn't really true in the SSL case:
> To a first order, everyone ignores any extensions (except sometimes
> the constraints) and uses the CN for the DNS name of the server.
Except some CAs make certs that can only work as an SSL server and not
an SSL client, or don't work with certain verifiers, or can't be
parsed right, or have the "commit-bit" set on some extensions. It's
been a major pain in a problem that I'm working on -- not all vendor's
certs work properly.
> -Ekr
-derek
--
Derek Atkins
Computer and Internet Security Consultant
derek@ihtfp.com www.ihtfp.com
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
