Re: Root Certificate

From: Chris Ridd <chrisridd@xxxxxxx>
Date: Tue, 24 Jan 2006 06:57:08 GMT

On 24/1/06 2:19, in article BFFACEC7.945AC%nathanh@xxxxxxxxxxxxxxxxxxxx,
"Nathan Herring [MSFT]" <nathanh@xxxxxxxxxxxxxxxxxxxx> wrote:

> More specifically, the rules are that:
> 1) You must match the common name in the subject name <OR> you must match a
> FQDN or IP address found in a subject alternative name extension.
> 2) If you have a critical Extended Key Usage ( 2 5 29 37 ) extension, then
> it must list Server Authentication ( 1 3 6 1 5 5 7 3 1 ) as one of its
> purposes.
>
> Given that, we don't have support for comparing IP addresses in subject
> alternative names. (Yet.) We also have some issues about reporting what kind

I thought the job of comparing the name the user entered to connect to with
the name in the server's cert was the job of Apple's security framework?
Apple's tpPolicies.cpp seems to have all this functionality...

<http://darwinsource.opendarwin.org/10.4.4.ppc/libsecurity_apple_x509_tp-248
18/lib/tpPolicies.cpp>

(It looks broadly similar to the code in 10.3.)

> I highly suggest taking up the issue with your IT administrator. They should
> be issuing correct certificates. They can use the "*.foo.com" syntax to be
> able to match all the hosts in the foo.com domain (though not "a.b.foo.com",
> for which it would need "*.*.foo.com").

You're right - working around the error shouldn't be necessary.

But experience suggests that an "IT admin" thinks it works with Windows
clients they won't be keen to do anything to make it work with anything else
:-(

Cheers,

Chris

.

Follow-Ups:
- Re: Root Certificate
  - From: Kevin Ledgister
- Re: Root Certificate
  - From: Nathan Herring [MSFT]

References:
- Root Certificate
  - From: Kevin Ledgister
- Re: Root Certificate
  - From: Chris Ridd
- Re: Root Certificate
  - From: Nathan Herring [MSFT]

Prev by Date: Post to Write-only group with Entourage
Next by Date: Re: Another GAL problem
Previous by thread: Re: Root Certificate
Next by thread: Re: Root Certificate
Index(es):
- Date
- Thread

Relevant Pages

Re: Discussion of why java.lang.Number does not implement Comparable
... have to deal with pairs that have no common factors. ... Comparing large integers of known digit-sequence (in any ... the binary representation as unsigned Java ints in other words. ...
(comp.lang.java.programmer)
Re: So Lucy is a gorilla
... assumption that chimps are the closest living *relatives* of humans? ... troglodytes_ are the result of common ancestry rather than common ... Science works by comparing ... It's the same in all science. ...
(talk.origins)
Re: So Lucy is a gorilla
... troglodytes_ are the result of common ancestry rather than common ... Science works by comparing ... It's the same in all science. ... pattern has to be "designed". ...
(talk.origins)
Re: So Lucy is a gorilla
... assumption that chimps are the closest living *relatives* of humans? ... troglodytes_ are the result of common ancestry rather than common ... Science works by comparing ... pattern has to be "designed". ...
(talk.origins)
Re: "Nobody expects the Spanish Influenza!"
... >Are they going to develop a vaccine for this "recovered" virus? ... They're comparing it to the bird flu to see what they have ... in common. ...
(sci.med)