On Tue, May 31, 2016 at 02:49:05PM +0000, Blumenthal, Uri - 0553 - MITLL wrote:
> >Could you explain your point in more detail than putting "wrong"
> >in bold text? Though ad-hoc, it seems about the best one can do,
> >absent additional information.
>
> IMHO allowing CN to be interpreted as a DNS name would open a new attack
> surface by making more name collisions (between people and host names)
> possible.
That genie is already out of the bottle, see RFC6125 references
upthread. What's under discussion is extending DNS nameConstraints
to the CN, *given* that it is already often used in name checks.
Nobody is proposing using CN in name checks where it is not already
in use.
--
Viktor.
--
openssl-dev mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-dev
