On Wed, Nov 18, 2015 at 2:22 AM, Rob Stradling <rob.stradl...@comodo.com> wrote:
> I would also like to get clarification on if/when the underscore character
> may be used in each of the name types.  Your report seems to flag
> underscores as always prohibited (I think), but I expect that some CAs would
> be surprised by that.

Here is a set of rules that are functionally equivalent to the ones
I'm using to check dNSNames in GeneralNames:

LABEL = "((?!-)[A-Za-z0-9-]{1,63}(?<!-))"
FQDN = "(#{LABEL}\.)*#{LABEL}"
WILDCARD_DN = "\\*\\.#{FQDN}"
DNSNAME = "(#{FQDN}|#{WILDCARD_DN})"

dNSName =~ /\A#{DNSNAME}\z/

The FQDN rule is based on RFC 5280 section 4.2.1.6, which in turn
references RFCs 1123 and 1034.  There is no allowance for underscores
in domain names in these RFCs.

Thanks,
Peter
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to