copyrightIOActive,Inc.2006,allrightsreserved.pptVIP

But Nobody Does It Most common pattern: X509_NAME_get_text_by_NID (subj, NID_commonName, data, 1024); return data; Seen in Claws, Open1x, Wget, Bacula, Neon, OpenLDAP A CA based on X509_NAME_get_text_by_NID would only see/validate the first CN So What Would You Do? Wildcard policy Netscape has an unlimited wildcard policy – if you can get a cert for *, you win IE has a “chicken” wildcard policy – they’re only accepted two labels in (*.xxx.yyy) Three CN’s in one PKCS#10 Request CN= // for OpenSSL CN= // for IE CN=* // For Netscape But What Is A CN, Anyway? X.509 is written to ASN.1, somet