[cabfpub] BR "corrections" ballot

Rob Stradling rob.stradling at comodo.com
Mon Mar 21 04:49:26 MST 2016


On 21/03/16 11:39, Gervase Markham wrote:
> On 21/03/16 11:23, Rob Stradling wrote:
>> Hi Gerv.  This has been common practice for years:
>>
>> See https://crt.sh/?cablint=247
>
> Well, it may have been, but that doesn't mean it's a) currently
> BR-compliant, or b) a good idea :-)

On a), here's my view:

https://cabforum.org/pipermail/public/2016-January/006642.html

>> See also this thread from a couple of months ago:
>> https://cabforum.org/pipermail/public/2016-January/006631.html
>
> What would be the downside of saying that all domain names in
> certificates have to be in A-label form?

What would be the downside of saying that subject:commonName, if 
included in the cert, MUST contain either the A-label form or U-label 
form of one of the SAN:dNSName values?

> That seems like the simplest
> thing, if nothing breaks. This seems to be what is being hinted at in
> RFC 5280, although as noted it doesn't say that explicitly.
>
>>> Are the things we put in certificates hostnames? Given that SSL is for
>>> connecting to internet hosts, it would seem to me that they are. Clue me
>>> in by explaining what I'm missing.
>>
>> "You've entered a special hell. It is dark and scary. You are likely to
>> be eaten by a grue."
>>
>> https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg02548.html
>
> Can someone give me a concrete example of why someone would want an _ in
> a hostname in a cert? An all-Microsoft shop using it for an internal
> name which nevertheless was an FQDN? my_server.corp.fooco.com?
>
> Gerv

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online



More information about the Public mailing list