On Wed, Dec 05, 2018 at 07:07:30AM +0300, Daniel Kahn Gillmor wrote: > One mitigating factor of the ETSI standard, i suppose, is that the > CABForum's Baseline Requirements forbid issuance of a certificate with > any subjectAltName other than dNSName or iPAddress, so otherName looks > like it must not be issued by standard public CAs. > > top of p. 44 of > https://cabforum.org/wp-content/uploads/CA-Browser-Forum-BR-1.6.1.pdf > > Has anyone set up tools to monitor the CT logs for such a sAN to see > whether that element of the BR is being honored?
All the linters will give an error about that, see for instance: https://crt.sh/?id=1009623020&opt=x509lint,cablint,zlint Kurt _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls