On 21/03/16 11:39, Gervase Markham wrote: > On 21/03/16 11:23, Rob Stradling wrote: >> Hi Gerv. This has been common practice for years: >> >> See https://crt.sh/?cablint=247 > > Well, it may have been, but that doesn't mean it's a) currently > BR-compliant, or b) a good idea :-)
On a), here's my view: https://cabforum.org/pipermail/public/2016-January/006642.html >> See also this thread from a couple of months ago: >> https://cabforum.org/pipermail/public/2016-January/006631.html > > What would be the downside of saying that all domain names in > certificates have to be in A-label form? What would be the downside of saying that subject:commonName, if included in the cert, MUST contain either the A-label form or U-label form of one of the SAN:dNSName values? > That seems like the simplest > thing, if nothing breaks. This seems to be what is being hinted at in > RFC 5280, although as noted it doesn't say that explicitly. > >>> Are the things we put in certificates hostnames? Given that SSL is for >>> connecting to internet hosts, it would seem to me that they are. Clue me >>> in by explaining what I'm missing. >> >> "You've entered a special hell. It is dark and scary. You are likely to >> be eaten by a grue." >> >> https://www.mail-archive.com/[email protected]/msg02548.html > > Can someone give me a concrete example of why someone would want an _ in > a hostname in a cert? An all-Microsoft shop using it for an internal > name which nevertheless was an FQDN? my_server.corp.fooco.com? > > Gerv -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
