On Fri, Sep 12, 2014 at 4:20 PM, Heikki Linnakangas
<hlinnakangas@vmware.com> wrote:
>> Hmm. If that's what the browsers do, I think we should also err on the
>> side of caution here. Ignoring the CN is highly unlikely to cause anyone
>> a problem; a CA worth its salt should not issue a certificate with a CN
>> that's not also listed in the SAN section. But if you have such a
>> certificate anyway for some reason, it shouldn't be too difficult to get
>> a new certificate. Certificates expire every 1-3 years anyway, so there
>> must be a procedure to renew them anyway.
>
>
> Committed, with that change, ie. the CN is not checked if SANs are present.
>
> Thanks for bearing through all these iterations!
Great news! Thank you very much for devoting your time and energy to
the review and providing such a useful feedback!
On the CN thing, I don't have particularly strong arguments for either
of the possible behaviors, so sticking to RFC makes sense here
Sincerely,
--
Alexey Klyukin
