On 24/01/2019 14:09, Kurt Roeckx via dev-security-policy wrote: > On 2019-01-24 12:08, Rob Stradling wrote: >> >> Hi Kurt. >> >> BRs 7.1.4.2.2 says that the subject:commonName "MUST contain a single IP >> address or Fully-Qualified Domain Name that is one of the values >> contained in the Certificate’s subjectAltName extension (see Section >> 7.1.4.2.1)." >> >> Fitting the U-label into subjectAltName:dNSName (an IA5String, not a >> UTF8String) would be...hard, so in practice the dNSName has to contain >> the A-label. >> >> So what does "is one of the values" mean? It's certainly valid to use >> the A-label in both the CN and SAN:dNSName. However, it's arguably >> invalid (or at least it's not obviously valid) to put the A-label in the >> SAN:dNSName and the corresponding U-label in the CN. (i.e., the U-label >> and the A-label are different representations of the same value, but >> they are not the same value). > > I expect all fields in the subject to be things you can just read, so > U-labels. It does not make sense to show users an A-label, they do not > understand what that means. The fields in a subject allows writing > things in Unicode, there is no reason not to use it. <snip>
Here's an example cert containing the A-label in the SAN:dNSName and the U-label in the CN. (It was issued by Sectigo, known back then as Comodo CA, before we switched to always putting the A-label in the CN): https://crt.sh/?id=213062481&opt=cablint,x509lint,zlint x509lint agrees with your opinion (unsurprisingly!), but both cablint and zlint complain. -- Rob Stradling Senior Research & Development Scientist Sectigo Limited _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy