[openssl-users] Implementing deprecation of commonname and emailaddress
noloader at gmail.com
Thu Aug 17 15:26:33 UTC 2017
>> When you see a name like "example.com" in the CN, its usually a CA
>> including a domain name and not a hostname.
> That's nonsense.
If a certificate is issued under CA/B policies, and CN=example.com but
it _lacks_ SAN=example.com, then its a not a hostname and it should
not be matched.
I'm aware of OpenSSL's behavior in the matter. But OpenSSL does not
understand issuing policies so its easy to confuse.
Forgive me if OpenSSL is now imbued with knowledge of issuing policies
and how matching should occur outside of the RFCs.
More information about the openssl-users