Peter said.. > While I realize that it is not clear cut in many contexts, RFC 5280 is > rather clear cut. The authors clearly wanted to avoid stumbling and > being eaten by a grue, so they wrote: > > When the subjectAltName extension contains a domain name system > label, the domain name MUST be stored in the > dNSName (an IA5String). > The name MUST be in the "preferred name syntax", as specified by > Section 3.5 of [RFC1034] and as modified by Section 2.1 of > [RFC1123]. <snip> > > This makes it clear that the "preferred name syntax" is not a > recommendation when it comes to certificates. It is mandatory.
Ah, but the lead-in there is "When the subjectAltName extension contains a domain name system label," weird_place.example.com is not a domain name system label. It is not expected to (and likely does not, and maybe could not) resolve to an IP address on the public internet. In practice, the people to whom weird_place.example.com is a useful name will be running Microsoft kit which is very happy with an underscore in a name. All that matters to them is that weird_place.example.com resolves within their environment. The CAB Forum BRs can be met in the validation of such a certificate providing that ownership or control of example.com is shown in the approved methods. The BRs place no requirement on the full name weird_place.example.com appearing on the internet or being accessible by the CA. Regards Robin
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
