On Thu, Nov 19, 2015 at 11:57 AM, Robin Alden <[email protected]> wrote: > Peter said.. >> While I realize that it is not clear cut in many contexts, RFC 5280 is >> rather clear cut. The authors clearly wanted to avoid stumbling and >> being eaten by a grue, so they wrote: >> >> When the subjectAltName extension contains a domain name system >> label, the domain name MUST be stored in the >> dNSName (an IA5String). >> The name MUST be in the "preferred name syntax", as specified by >> Section 3.5 of [RFC1034] and as modified by Section 2.1 of >> [RFC1123]. <snip> >> >> This makes it clear that the "preferred name syntax" is not a >> recommendation when it comes to certificates. It is mandatory. > > Ah, but the lead-in there is > "When the subjectAltName extension > contains a domain name system label," > > weird_place.example.com is not a domain name system label. It is not > expected to (and likely does not, and maybe could not) resolve to an IP > address on the public internet.
Yes, reading again I agree that the language there leaves it open that the dNSName type might not contain a domain name system label. If the authors truly wanted to avoid the grue, they should have said: "When the subjectAltName extension contains a dNSName, the dNSName must contain a domain name." (or domain name system label). Given that it doesn't, but that that the BRs say "MUST be either a dNSName containing the FullyâQualified Domain Name or an iPAddress containing the IP address", it is clear we still need to have a valid FQDN. I'll update my scanner to allow "_" in the labels that are not registry controlled or in the label that is immediately to the left of the registry controlled labels. Give me a little while and I'll upload a revised data set with this fix. > In practice, the people to whom weird_place.example.com is a useful name > will be running Microsoft kit which is very happy with an underscore in > a name. All that matters to them is that weird_place.example.com > resolves within their environment. > The CAB Forum BRs can be met in the validation of such a certificate > providing that ownership or control of example.com is shown in the > approved methods. The BRs place no requirement on the full name > weird_place.example.com appearing on the internet or being accessible by > the CA. Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
