Le mardi 24 mars 2015 15:32:10 UTC+1, Florian Weimer a écrit : > * Kurt Roeckx:
> > We know that not everybody does add the SANs. But I think that if > > there is a name constraint and there is no SAN we should just either > > reject the certificate for being invalid or for not matching. > > This has to be integrated with certificate path processing somehow. > Maybe it is feasible to ignore the Subject DN if there is a name > constraint anywhere on the path? Ignore the CN when validating a certificate for TLS use. NameConstraints can have a directoryName form, and it applies to the SubjectDN. > That would be fairly straightforward to implement with other PKIX > validators (which generally lack the NSS hack for Common Name > verification). Providing support for legacy use of CN as FQDN while being strict on what-should-be-done isn't straightforward. Some bugs were raised when Firefox decided to disallow self-signed CA certs used as TLS server certs also. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
