Re: Name issues in public certificates

2015-12-10 Thread Matthias Hunstock
Am 09.12.2015 um 18:46 schrieb Peter Bowen: > Do you have an example where you think IPv6 addresses are not being > handled correctly? Serial 19D70E1B381579 in your document is the example I stumbled upon. I managed to get the complete cert from the server and cannot see any issues there. It

Re: Name issues in public certificates

2015-12-10 Thread Peter Bowen
On Thu, Dec 10, 2015 at 6:07 AM, Matthias Hunstock wrote: > Am 09.12.2015 um 18:46 schrieb Peter Bowen: > >> Do you have an example where you think IPv6 addresses are not being >> handled correctly? > > Serial 19D70E1B381579 in your document is the example I stumbled upon. > >

Re: Name issues in public certificates

2015-12-10 Thread Matthias Hunstock
Am 10.12.2015 um 15:47 schrieb Peter Bowen: > Apologies for this. I will get the tool updated to ensure that IPv6 > addresses do not cause a flag. Thank you for fixing this! Matthias ___ dev-security-policy mailing list

Re: Name issues in public certificates

2015-12-09 Thread Peter Bowen
On Wed, Dec 9, 2015 at 9:35 AM, Matthias Hunstock wrote: > Am 17.11.2015 um 09:04 schrieb Peter Bowen: > >> There are a couple of rules that may create false positives, so please >> don't assume every certificate on the sheet is problematic. > > Is it possible that your script

Re: Name issues in public certificates

2015-12-09 Thread Matthias Hunstock
Am 17.11.2015 um 09:04 schrieb Peter Bowen: > There are a couple of rules that may create false positives, so please > don't assume every certificate on the sheet is problematic. Is it possible that your script doesn't handle IPv6 addresses properly? Regards

RE: Name issues in public certificates

2015-11-19 Thread Robin Alden
Peter said.. > While I realize that it is not clear cut in many contexts, RFC 5280 is > rather clear cut. The authors clearly wanted to avoid stumbling and > being eaten by a grue, so they wrote: > >When the subjectAltName extension contains a domain name system >label, the domain name

Re: Name issues in public certificates

2015-11-19 Thread Peter Bowen
On Thu, Nov 19, 2015 at 4:26 PM, Brian Smith wrote: > Peter Bowen wrote: >> >> Robin Alden wrote: >> Given that it doesn't, but that that the BRs say "MUST be either a >> dNSName containing the Fully‐Qualified Domain Name or an

Re: Name issues in public certificates

2015-11-19 Thread Peter Bowen
On Thu, Nov 19, 2015 at 11:57 AM, Robin Alden wrote: > Peter said.. >> While I realize that it is not clear cut in many contexts, RFC 5280 is >> rather clear cut. The authors clearly wanted to avoid stumbling and >> being eaten by a grue, so they wrote: >> >>When the

Re: Name issues in public certificates

2015-11-19 Thread Patrick T
On Tuesday, 17 November 2015 08:04:41 UTC, Peter Bowen wrote: > Inspired by Rob Stradling's work > (https://cabforum.org/pipermail/public/2015-November/006269.html), I > wrote a quick tool to check that commonNames and Subject Alternative > Names in server auth certificates issued by public CAs