> On Aug 15, 2017, at 15:37, Kathleen Wilson via dev-security-policy > <[email protected]> wrote: > > ** Common Name not in SAN > https://groups.google.com/d/msg/mozilla.dev.security.policy/K3sk5ZMv2DE/4oVzlN1xBgAJ > It is not clear to me if I need to add this item to the Bugzilla Bugs that I > will be filing. Please let me know if you think I need to add this item to > the bugs.
This is a legitimate BR violation and should be listed. In addition to the basic issue, this also uncovered a variety of certificates with invalid domains in the CN field. The only CA that has contested this is Symantec[0], who have issued certificates with U-labels in the CN that do not match the capitalization of the corresponding SAN A-label. It’s not clear that U-labels are allowed at all in the CN, let alone labels that do not match any dnsNames, and none of the ballots that attempt to explicitly allow this have been adopted. Jonathan [0] https://groups.google.com/d/msg/mozilla.dev.security.policy/K3sk5ZMv2DE/rxEptYe7BwAJ _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
