Does a cert need a Common Name matching the domain?

Solderpunk solderpunk at posteo.net
Sun Jul 19 14:57:34 BST 2020

Previous message (by thread): Does a cert need a Common Name matching the domain?
Next message (by thread): Does a cert need a Common Name matching the domain?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri Jul 17, 2020 at 5:26 PM CEST,  wrote:
> On the surface I think you're right, that in the TOFU world,
> CN shouldn't matter, and neither should subjectAltName, etc.
> We shouldn't even need wildcard certs, because anything should be
> accepted.

There's some degree of sense in this, if the certificate is self-signed
then none of the metadata attached to it is trustworthy in any sense,
and anybody can make a cert with whichever domain(s) they like in the
CN/SAN fields, so one could argue it should be ignored.

I still wonder, though, if it doesn't make sense to check the domain
names and expect them to match (AV-98 does this, for what it's worth),
mostly just to help guard against configuration errors and things like
that?

Cheers,
Solderpunk

Previous message (by thread): Does a cert need a Common Name matching the domain?
Next message (by thread): Does a cert need a Common Name matching the domain?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list