Does a cert need a Common Name matching the domain?

[Gary Johnson]

I was under the impression that the Gemini spec already made it
mandatory to make CNs match the requested domain name. That's why I
implemented SNI in Space Age. Here's the relevant section of the spec:

>From gemini://gemini.circumlunar.space/docs/specification.gmi:
-----------------------------------------------------------------
4 TLS

Use of TLS for Gemini transactions is mandatory.

Use of the Server Name Indication (SNI) extension to TLS is also
mandatory, to facilitate name-based virtual hosting.
-----------------------------------------------------------------

If I'm misunderstanding something here, please clarify.

Thanks,
  Gary


Alex Schroeder <alex at gnu.org> writes:

> On Sun, 2020-07-19 at 15:57 +0200, Solderpunk wrote:
>> I still wonder, though, if it doesn't make sense to check the domain
>> names and expect them to match (AV-98 does this, for what it's
>> worth),
>> mostly just to help guard against configuration errors and things
>> like
>> that?
>> 
>
> I don't know. Do we HAVE to check? If we only have to check when the
> common name is an actual domain, how do we detect that, regular
> expressions? It seems to run counter to what TOFU promised.
>
> I fell it should be OK for transjovian.org to serve a wiki, and for
> alexschroeder.ch:1965 to show that wiki, even though it uses the
> certificate I used for transjovian.org. If the server domains have to
> match, then I have to do the SNI thing and server different
> certificates and that's going to make certificates harder, again.
>
> Please don't do this.


-- 
GPG Key ID: 7BC158ED
Use `gpg --search-keys lambdatronic' to find me
Protect yourself from surveillance: https://emailselfdefense.fsf.org
=======================================================================
()  ascii ribbon campaign - against html e-mail
/\  www.asciiribbon.org   - against proprietary attachments

Please avoid sending me MS-Office attachments.
See http://www.gnu.org/philosophy/no-word-attachments.html