[cabfpub] BR "corrections" ballot
rob.stradling at comodo.com
Mon Mar 21 05:31:02 MST 2016
On 21/03/16 11:56, Gervase Markham wrote:
> On 21/03/16 11:49, Rob Stradling wrote:
>> What would be the downside of saying that subject:commonName, if
>> included in the cert, MUST contain either the A-label form or U-label
>> form of one of the SAN:dNSName values?
> Converting using IDNA2003 or IDNA2008? :-))
> In a data structure designed for computer consumption, why would you not
> want to write the computer-readable, as opposed to human-readable,
> version of the label? My security spider-sense tells me that allowing
> multiple "equivalent" forms of a name in a security context, rather than
> requiring a single canonical form, is a good way of getting nasty bugs.
Browsers ignore subject.commonName (for determining whether or not the
cert is valid for a given domain name) when 1 or more SAN:dNSNames are
How is the encoding of an ignored field "in a security context"?
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public