On Thu, Nov 19, 2015 at 4:26 PM, Brian Smith <br...@briansmith.org> wrote: > Peter Bowen <pzbo...@gmail.com> wrote: >> >> Robin Alden <ro...@comodo.com> wrote: >> Given that it doesn't, but that that the BRs say "MUST be either a >> dNSName containing the FullyâQualified Domain Name or an iPAddress >> containing the IP address", it is clear we still need to have a valid >> FQDN. I'll update my scanner to allow "_" in the labels that are not >> registry controlled or in the label that is immediately to the left of >> the registry controlled labels. Give me a little while and I'll >> upload a revised data set with this fix. > > > See https://bugzilla.mozilla.org/show_bug.cgi?id=1136616. In mozilla::pkix, > we had to allow the underscore because of AWS.
Touche :) It looks like S3 allows underscores but calls out that they are not DNS compliant (http://docs.aws.amazon.com/AmazonS3/latest/dev/BucketRestrictions.html). People accessing these buckets should be using the https://s3.amazonaws.com/$BUCKET/$KEY URL format, not the https://$BUCKET.s3.amazonaws.com/$KEY URL format. I will talk to the S3 team about ensuring that all names published in DNS are compliant with RFC 1123. That being said, I updated the spreadsheet to allow underscores in both the CN and dNSName generalName. Please note that the updated sheet has a slightly different column order. I also added rules to check for nulls in dNSNames (one hit), unparsable ASN.1 in the subjectAltName extension (23 hits), and basic validation for RFC822Names in SANs (even though they are not allowed in by the BRs). The sheet is available at: https://docs.google.com/spreadsheets/d/1lJt-1tkgKcbw5woEr4-tcpqB-M-HKwjFNSdX2jla2EU/edit?usp=sharing As always, I welcome feedback. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy