Is SubjectAlternativeName in X.509 always used for DNS Names? |
您所在的位置:网站首页 › alt509 › Is SubjectAlternativeName in X.509 always used for DNS Names? |
|
If you want to stay general, then the answer will be "it depends". The cite from RFC implies the following: if the entity is a subject for validation (e.g. certificate is mapped to a specific entity in directory), its identity MUST be presented in Subject/Issuer Alternative Names extension. In which case is it necessary to check the "Subject" field of a certificate? when there is no SAN extension and industry standard allows cases when proper SAN is not presented. For example, for S/MIME it is recommended to have an rfc822name entry in SAN extension, but if it is missing, it is ok to check Subject field and E attribute in X.500 name. The followigng logic explains the general concept: Check if SAN extension is presented. Yes: goto 2. No: goto 4. Check if desired name type is presented. Yes: goto 3. No: goto 8. Check if name in desired name type matches your validation requirements (e.g. matches the domain in address bar, such user exists in directory, sender address matches the value in alternative name etc.). Yes: goto 7. No: goto 8. Check if industry standards allow fallback to Subject field. Yes: goto 5. No: goto 8. Check if desired fallback X.500 attribute is presented (CN, E, etc.). Yes: goto 6. No: goto 8. Check if desired RDN your validation requirements (e.g. matches the domain in address bar, such user exists in directory, sender address matches the value in RDN etc.) Yes: goto 7. No: goto 8. Accept certificate. Exit. Reject certificate. Exit.Some applications allow the absence of SAN extension, e.g. remote desktop (mstsc.exe implementation), S/MIME, VPN, others. Some applications will fail if SAN extension is absent, e.g. HTTPS, MS-PKCA (certificate-based authentication in Active Directory). Specifically to RADIUS, SAN is not mandatory at least for Microsoft-based clients. However, it is recommended to use SAN whenever possible and use Subject field for descriptive purposes (provide additional informative details about the entity). |
| CopyRight 2018-2019 办公设备维修网 版权所有 豫ICP备15022753号-3 |