Peter Bowen <pzbo...@gmail.com> wrote: > 2) For commonName attributes in subject DNs, clarify that they can only > contain: > - IPv4 address in dotted-decimal notation (specified as IPv4address > from section 3.2.2 of RFC 3986) > - IPv6 address in coloned-hexadecimal notation (specified as > IPv6address from section 3.2.2 of RFC 3986) > - Fully Qualified Domain Name or Wildcard Domain Name in the > "preferred name syntax" (specified by Section 3.5 of RFC1034 and as > modified by Section 2.1 of RFC1123) > - Fully Qualified Domain Name or Wildcard Domain Name in containing > u-labels (as specified in RFC 5890)
> 3) Forbid commonName attributes in subject DNs from containing a Fully > Qualified Domain Name or Wildcard Domain Name that contains both one > or more u-labels and one or more a-labels (as specified in RFC 5890). > I don't think these rules are necessary, because CAs are already required to encode all this information in the SAN, and if there is a SAN with a dNSName and/or iPAddress the browser is required to ignore the subject CNs. That is, if the certificate a SAN with a dNSName and/or iPAddress entry, then it doesn't really matter how the CN is encoded as long as it isn't misleading. > If the Forum decides to allow an exception to RFC 5280 to permit IP > address strings in dNSName general names, then require the same format > as allowed for common names. > That should not be done. As I mentioned in my other reply in this thread, Ryan Sleevi already described a workaround that seems to work very well: Encode the IP addresses in the SubjectAltName as iPAddress entries, and then also encode them as (normalized) ASCII dotted/colon-separated text in the subject CN, using more than one subject CN if there is more than one IP address. By the way, I believe that mozilla::pkix will reject all the invalid names that you found, except it accepts "_" in dNSNames. If you found some names that mozilla::pkix accepts that you think are invalid, I would love to hear about that. Cheers, Brian -- https://briansmith.org/ _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy