Does a cert need a Common Name matching the domain?

Alex Schroeder alex at gnu.org
Sun Jul 19 19:55:56 BST 2020

Previous message (by thread): Does a cert need a Common Name matching the domain?
Next message (by thread): Does a cert need a Common Name matching the domain?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sun, 2020-07-19 at 15:57 +0200, Solderpunk wrote:
> I still wonder, though, if it doesn't make sense to check the domain
> names and expect them to match (AV-98 does this, for what it's
> worth),
> mostly just to help guard against configuration errors and things
> like
> that?
> 

I don't know. Do we HAVE to check? If we only have to check when the
common name is an actual domain, how do we detect that, regular
expressions? It seems to run counter to what TOFU promised.

I fell it should be OK for transjovian.org to serve a wiki, and for
alexschroeder.ch:1965 to show that wiki, even though it uses the
certificate I used for transjovian.org. If the server domains have to
match, then I have to do the SNI thing and server different
certificates and that's going to make certificates harder, again.

Please don't do this.

Previous message (by thread): Does a cert need a Common Name matching the domain?
Next message (by thread): Does a cert need a Common Name matching the domain?
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Gemini mailing list