I just noticed on a host that we use gsi-openssh-server that the host certificate does not include a SAN of the public DNS alias of the machine (i.e. oasis-login-itb.opensciencegrid.org). Isn't that a security concern? Normally clients are supposed to verify that. Dave