On Wednesday, November 18, 2015 at 5:43:57 PM UTC-8, Brian Smith wrote:
> Peter Bowen wrote:
> > 2) For commonName attributes in subject DNs, clarify that they can only
> > contain:
> >
> - IPv4 address in dotted-decimal notation (specified as IPv4address
> > from section 3.2.2 of RFC 3986)
> > - IPv6 address in coloned-hexadecimal notation (specified as
> > IPv6address from section 3.2.2 of RFC 3986)
> > - Fully Qualified Domain Name or Wildcard Domain Name in the
> > "preferred name syntax" (specified by Section 3.5 of RFC1034 and as
> > modified by Section 2.1 of RFC1123)
> > - Fully Qualified Domain Name or Wildcard Domain Name in containing
> > u-labels (as specified in RFC 5890)
> > 3) Forbid commonName attributes in subject DNs from containing a Fully
> > Qualified Domain Name or Wildcard Domain Name that contains both one
> > or more u-labels and one or more a-labels (as specified in RFC 5890).
> >
> I don't think these rules are necessary, because CAs are already required
> to encode all this information in the SAN, and if there is a SAN with a
> dNSName and/or iPAddress the browser is required to ignore the subject CNs.
> That is, if the certificate a SAN with a dNSName and/or iPAddress entry,
> then it doesn't really matter how the CN is encoded as long as it isn't
> misleading.
> > If the Forum decides to allow an exception to RFC 5280 to permit IP
> > address strings in dNSName general names, then require the same format
> > as allowed for common names.
> >
> That should not be done. As I mentioned in my other reply in this thread,
> Ryan Sleevi already described a workaround that seems to work very well:
> Encode the IP addresses in the SubjectAltName as iPAddress entries, and
> then also encode them as (normalized) ASCII dotted/colon-separated text in
> the subject CN, using more than one subject CN if there is more than one IP
> address.
> By the way, I believe that mozilla::pkix will reject all the invalid names
> that you found, except it accepts "_" in dNSNames. If you found some names
> that mozilla::pkix accepts that you think are invalid, I would love to hear
> about that.
> Cheers,
> Brian
> -- 
> https://briansmith.org/

Multiple common names were flagged as an attack vector in Kaminsky's PKI Layer 
Cake paper at 
Specifically, the paper said that Firefox respected only the last CN in the DN. 
We need to be sure that all browsers (mobile too) respect all CNs. And this 
solution may be risky too because CN is being deprecated.
dev-security-policy mailing list

Reply via email to