The CABForum BRs say this:
"7.1.4.2.2. Subject Distinguished Name Fields
a. Certificate Field: subject:commonName (OID 2.5.4.3)
Required/Optional: Deprecated (Discouraged, but not prohibited)
Contents: If present, this field MUST contain a single IP address or
FullyâQualified Domain Name that is one of the values contained in the
Certificate's subjectAltName extension (see section 7.1.4.2.1)."
I believe the intent of "...MUST contain a single...that is one of the
values..." was to outlaw multiple CN-IDs. Clarification would help though.
On 08/04/16 01:47, Peter Bowen wrote:
On Thu, Apr 7, 2016 at 5:46 PM, Rick Andrews <[email protected]> wrote:
-----Original Message-----
From: Peter Bowen [mailto:[email protected]]
Sent: Thursday, April 07, 2016 5:34 PM
To: Rick Andrews <[email protected]>
Cc: [email protected]
Subject: Re: [Trans] Issue with redaction and CN-IDs
<snip>
I also wonder how to handle multiple CN-IDs in a single certificate.
There is not, to my knowledge, a requirement that the Subject only
contain
one attribute of type commonName.
Dan Kaminsky's PKI Layer Cake paper
(https://www.cosic.esat.kuleuven.be/publications/article-1432.pdf) exposed
vulnerabilities around multiple CN-IDs, but we neglected to outlaw them in the
CABF BRs.
Ah, then ignore that question in the trans context. We can fix in the
CABF context.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
