On 2019-01-24 20:19, Tim Hollebeek wrote:
I think the assertion that the commonName has anything to do with what the user would type and expect to see is unsupported by any of the relevant standards, and as Rob noted, having it be different from the SAN strings is not in compliance with the Baseline Requirements.
The BR do not say anything about it.
It's also deprecated. If anything, it should cease to exist.
I agree with that.
Requiring translation to a U-label by the CA adds a lot of additional complexity with no benefit.
I have no idea what is so complex about that. When generating the certificate, it's really just calling a function. On the other hand, when reading a certificate you have to guess what they did.
And if it's really to complex, just remove the CN, or is that too complex too?
What users type and see are issues that are best left to Application Software Suppliers (browsers).
So you're saying all the other software that deals with certificates should instead add complexity?
Kurt _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
