22.214.171.124.2 of the CABF Baseline Requirements requires that common names always
be an element from the SAN.
Here are 62 certs, from a variety of CAs which do not meet that requirement:
These appear to be for a variety of reasons:
- just plain wrongness :-)
- leading/trailing spaces in either the CN or the SAN
- Using non-IDNA encoded values in the CN, but (correctly!) IDNA encoding the
- My personal favorite, the presence of zero-width-space unicode characters in
There's probably some other reasons, there's a lot to sort through.
I've notified several of the CAs already, but not all. (I notably haven't yet
notified Symantec, who appear to have the plurality of these because of the
dev-security-policy mailing list