On 08/02/2014 04:09 AM, Jason Uh wrote:
Hi Florian,
Thanks for your input. There was some discussion about the issue in the
past on this list:
http://mail.openjdk.java.net/pipermail/security-dev/2013-February/006622.html
Do you disagree with the comments there?
I think the intent of RFC 5280 is *not* to allow "_" in dNSName.
However, other PKIX implementations (OpenSSL, NSS) do not seem to verify
dNSName syntax at all, so it might be necessary to drop the check for
interoperability reasons in OpenJDK, even if it makes OpenJDK less
compliant with RFC 5280.
--
Florian Weimer / Red Hat Product Security
