On Wed, Nov 18, 2015 at 5:43 PM, Brian Smith <br...@briansmith.org> wrote: > Peter Bowen <pzbo...@gmail.com> wrote: >> >> 2) For commonName attributes in subject DNs, clarify that they can only >> contain: >> >> - IPv4 address in dotted-decimal notation (specified as IPv4address >> from section 3.2.2 of RFC 3986) >> - IPv6 address in coloned-hexadecimal notation (specified as >> IPv6address from section 3.2.2 of RFC 3986) >> - Fully Qualified Domain Name or Wildcard Domain Name in the >> "preferred name syntax" (specified by Section 3.5 of RFC1034 and as >> modified by Section 2.1 of RFC1123) >> - Fully Qualified Domain Name or Wildcard Domain Name in containing >> u-labels (as specified in RFC 5890) >> >> >> 3) Forbid commonName attributes in subject DNs from containing a Fully >> Qualified Domain Name or Wildcard Domain Name that contains both one >> or more u-labels and one or more a-labels (as specified in RFC 5890). > > > I don't think these rules are necessary, because CAs are already required to > encode all this information in the SAN, and if there is a SAN with a dNSName > and/or iPAddress the browser is required to ignore the subject CNs. That is, > if the certificate a SAN with a dNSName and/or iPAddress entry, then it > doesn't really matter how the CN is encoded as long as it isn't misleading.
I'll leave that up to the Forum. I would prefer that we not have common names with arbitrary data, but if so, so be it. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
