On 2019-01-24 15:41, Rob Stradling wrote:
Here's an example cert containing the A-label in the SAN:dNSName and the U-label in the CN. (It was issued by Sectigo, known back then as Comodo CA, before we switched to always putting the A-label in the CN): https://crt.sh/?id=213062481&opt=cablint,x509lint,zlint x509lint agrees with your opinion (unsurprisingly!), but both cablint and zlint complain.
x509lint doesn't do anything related to this. I've disabled the code to check that the CN is one of the SANs because I didn't write the code related to the conversion from the U-label to the A-label yet. It used to behave exactly like zlint and say it doesn't match, but I think that's wrong. It's was clearly my intention to say that a certificate like that is the correct way to do it. One of the reasons I didn't do this is that it was not obvious to me at that time which is the correct standard to use, which I guess is why this thread was started.
Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
