Hi Hanno! Am 29.10.2017 um 19:42 schrieb Hanno Böck via dev-security-policy:
This certificate has a duplicate commonname: https://crt.sh/?id=242683153&opt=problemreporting
The cert was issued by our systems (DFN-PKI).
This was pointed out by Mattias Geniar: https://twitter.com/mattiasgeniar/status/924705516974112768 > I'm not entirely sure if the wording of the BRs forbid this (they say the CN field must contain a single IP or fqdn, but don't really consider the case that 2 CNs can be present), though this is clearly malformed.
I don't see why you say that this certificate is malformed. On what basis? The BRs don't forbid this, RFC5280 doesn't forbid this.
There was even http://wiki.cacert.org/VhostTaskForce#A2._Way:_Multiple_CommonNames_in_the_same_certificate
The author of cablint thinks multi-CN justifies a warning (I guess because browser support of multi-CN is nowadays non-existent).
I have informed telesec / Deutsche Telekom about this (this is indirectly signed by them) via their contact form. I haven't checked if other such certificates exist.
Of course do they exist. Regards, Jürgen _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
