On Fri, 20 Jul 2018 21:38:45 -0700 Peter Bowen via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> https://crt.sh/?id=294808610&opt=zlint,cablint is one of the > certificates. It is not clear to me that there is an error here. > The DNS names in the SAN are correctly encoded and the Common Name in > the subject has one of the names found in the SAN. The Common Name > contains a DNS name that is the U-label form of one of the SAN > entries. > > It is currently undefined if this is acceptable or unacceptable for > certificates covered by the BRs. I put a CA/Browser Forum ballot > forward a while ago to try to clarify it was not acceptable, but it > did not pass as several CAs felt it was not only acceptable but is > needed and desirable. It would be helpful if any such CAs can tell us why this was "needed and desirable" with actual examples. Since the CN field in Web PKI certs always contains information duplicated from a field that has been better defined for decades I'm guessing in most cases the cause is crappy software. But if we know which software is crappy we can help get that fixed rather than muddling along forever. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
