On Thu, Aug 9, 2018 at 8:24 AM, Nick Lamb via dev-security-policy < [email protected]> wrote:
> On Fri, 20 Jul 2018 21:38:45 -0700 > Peter Bowen via dev-security-policy > <[email protected]> wrote: > > > https://crt.sh/?id=294808610&opt=zlint,cablint is one of the > > certificates. It is not clear to me that there is an error here. > > The DNS names in the SAN are correctly encoded and the Common Name in > > the subject has one of the names found in the SAN. The Common Name > > contains a DNS name that is the U-label form of one of the SAN > > entries. > > > > It is currently undefined if this is acceptable or unacceptable for > > certificates covered by the BRs. I put a CA/Browser Forum ballot > > forward a while ago to try to clarify it was not acceptable, but it > > did not pass as several CAs felt it was not only acceptable but is > > needed and desirable. > > It would be helpful if any such CAs can tell us why this was "needed and > desirable" with actual examples. > > Since the CN field in Web PKI certs always contains information > duplicated from a field that has been better defined for decades I'm > guessing in most cases the cause is crappy software. But if we know > which software is crappy we can help get that fixed rather than > muddling along forever. This information is readily available in the discussions for CA/Browser Forum Ballot 202 - https://cabforum.org/2017/07/26/ballot-202-underscore-wildcard-characters/ - which would have unambiguously specified and clarified this. The following CAs voted against: Buypass, CFCA, DocuSign France, Entrust, GDCA, GlobalSign, SHECA Buypass - https://cabforum.org/pipermail/public/2017-July/011744.html CFCA - https://cabforum.org/pipermail/public/2017-July/011733.html Docusign - https://cabforum.org/pipermail/public/2017-July/011708.html Entrust - https://cabforum.org/pipermail/public/2017-July/011747.html GlobalSign - https://cabforum.org/pipermail/public/2017-July/011692.html GDCA - https://cabforum.org/pipermail/public/2017-July/011736.html SHECA - https://cabforum.org/pipermail/public/2017-July/011737.html You can see not all objections are strictly related to that matter at hand, but hopefully it provides you further information. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
