On Wed, 11 Oct 2017 11:33:09 +0200 Daniel Margolis <[email protected]> wrote:
> Because STS is intended to work with existing certs, it seems > problematic to me to force people who may already have a CN-only cert > to go get a new one--but you probably have a better idea than I do > about how common that actually would be, if I remember your research > properly. Are people generally already all migrated to SANs? Are we > likely to have people who have an existing cert that relies on CN > matching? Chrome recently disabled CN support and only uses SAN. The Baseline Requirements require certificates to have a SAN value and calls CN deprecated [1]. Thus at least within the WebPKI: 1. If someone uses certificates with a CN and no SAN then they won't work in the most popular browser. 2. They violate the rules and should be revoked anyway. [1] https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.4.8-redlined.pdf -- Hanno Böck https://hboeck.de/ mail/jabber: [email protected] GPG: FE73757FA60E4E21B937579FA5880072BBB51E42 _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
