Hi all, of the CABF Baseline Requirements requires that common names always 
be an element from the SAN.

Here are 62 certs, from a variety of CAs which do not meet that requirement: 

These appear to be for a variety of reasons:

- just plain wrongness :-)
- leading/trailing spaces in either the CN or the SAN
- Using non-IDNA encoded values in the CN, but (correctly!) IDNA encoding the 
- My personal favorite, the presence of zero-width-space unicode characters in 
the CN

There's probably some other reasons, there's a lot to sort through.

I've notified several of the CAs already, but not all. (I notably haven't yet 
notified Symantec, who appear to have the plurality of these because of the 
IDNA issue).

dev-security-policy mailing list

Reply via email to