On 21/03/16 11:23, Rob Stradling wrote: > Hi Gerv. This has been common practice for years: > > See https://crt.sh/?cablint=247
Well, it may have been, but that doesn't mean it's a) currently BR-compliant, or b) a good idea :-) > See also this thread from a couple of months ago: > https://cabforum.org/pipermail/public/2016-January/006631.html What would be the downside of saying that all domain names in certificates have to be in A-label form? That seems like the simplest thing, if nothing breaks. This seems to be what is being hinted at in RFC 5280, although as noted it doesn't say that explicitly. >> Are the things we put in certificates hostnames? Given that SSL is for >> connecting to internet hosts, it would seem to me that they are. Clue me >> in by explaining what I'm missing. > > "You've entered a special hell. It is dark and scary. You are likely to > be eaten by a grue." > > https://www.mail-archive.com/[email protected]/msg02548.html Can someone give me a concrete example of why someone would want an _ in a hostname in a cert? An all-Microsoft shop using it for an internal name which nevertheless was an FQDN? my_server.corp.fooco.com? Gerv _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
