On Thu, Jan 24, 2019 at 7:36 AM Kurt Roeckx via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote:
> On 2019-01-24 15:41, Rob Stradling wrote: > > > > Here's an example cert containing the A-label in the SAN:dNSName and the > > U-label in the CN. (It was issued by Sectigo, known back then as Comodo > > CA, before we switched to always putting the A-label in the CN): > > > > https://crt.sh/?id=213062481&opt=cablint,x509lint,zlint > > > > x509lint agrees with your opinion (unsurprisingly!), but both cablint > > and zlint complain. > > x509lint doesn't do anything related to this. I've disabled the code to > check that the CN is one of the SANs because I didn't write the code > related to the conversion from the U-label to the A-label yet. It used > to behave exactly like zlint and say it doesn't match, but I think > that's wrong. It's was clearly my intention to say that a certificate > like that is the correct way to do it. One of the reasons I didn't do > this is that it was not obvious to me at that time which is the correct > standard to use, which I guess is why this thread was started. You don’t need to choose between IDNA2003 and 2008 to do A-label to U-label. That direction is identical for both. So you can try each of the SANs and see if it decides to the CN. > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy