On Wed, Nov 18, 2015 at 5:43 PM, Brian Smith <br...@briansmith.org> wrote:
> Peter Bowen <pzbo...@gmail.com> wrote:
>>
>> 2) For commonName attributes in subject DNs, clarify that they can only
>> contain:
>>
>> - IPv4 address in dotted-decimal notation (specified as IPv4address
>> from section 3.2.2 of RFC 3986)
>> - IPv6 address in coloned-hexadecimal notation (specified as
>> IPv6address from section 3.2.2 of RFC 3986)
>> - Fully Qualified Domain Name or Wildcard Domain Name in the
>> "preferred name syntax" (specified by Section 3.5 of RFC1034 and as
>> modified by Section 2.1 of RFC1123)
>> - Fully Qualified Domain Name or Wildcard Domain Name in containing
>> u-labels (as specified in RFC 5890)
>>
>>
>> 3) Forbid commonName attributes in subject DNs from containing a Fully
>> Qualified Domain Name or Wildcard Domain Name that contains both one
>> or more u-labels and one or more a-labels (as specified in RFC 5890).
>
>
> I don't think these rules are necessary, because CAs are already required to
> encode all this information in the SAN, and if there is a SAN with a dNSName
> and/or iPAddress the browser is required to ignore the subject CNs. That is,
> if the certificate a SAN with a dNSName and/or iPAddress entry, then it
> doesn't really matter how the CN is encoded as long as it isn't misleading.

I'll leave that up to the Forum.  I would prefer that we not have
common names with arbitrary data, but if so, so be it.
_______________________________________________
dev-security-policy mailing list
dev-security-policy@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security-policy

Reply via email to