💾 Archived View for rawtext.club › ~sloum › geminilist › 002267.gmi captured on 2020-09-24 at 01:19:23. Gemini links have been rewritten to link to archived content

View Raw

More Information

-=-=-=-=-=-=-

<-- back to the mailing list

Does a cert need a Common Name matching the domain?

Solderpunk solderpunk at posteo.net

Sun Jul 19 14:57:34 BST 2020

- - - - - - - - - - - - - - - - - - - 

On Fri Jul 17, 2020 at 5:26 PM CEST, wrote:

On the surface I think you're right, that in the TOFU world,
CN shouldn't matter, and neither should subjectAltName, etc.
We shouldn't even need wildcard certs, because anything should be
accepted.

There's some degree of sense in this, if the certificate is self-signedthen none of the metadata attached to it is trustworthy in any sense,and anybody can make a cert with whichever domain(s) they like in theCN/SAN fields, so one could argue it should be ignored.

I still wonder, though, if it doesn't make sense to check the domainnames and expect them to match (AV-98 does this, for what it's worth),mostly just to help guard against configuration errors and things likethat?

Cheers,Solderpunk