Resent from my DocuSign email address :/ Cordialement, Erwann Abalea
Le 21 mars 2016 à 15:50, Erwann Abalea <[email protected]<mailto:[email protected]>> a écrit : Bonjour, X.509 has recently changed its definition of what is admissible in a dNSName entry. You can freely download all this from https://www.itu.int/rec/T-REC-X.509/en. From the very first edition of X.509v3 (1997) up to the latest revision (2012), it was defined as: * the dNSName alternative is an Internet domain name defined in accordance with IETF RFC 1035; preventing the use of anything other than letters, digits, and hyphen. A published corrigendum changed the definition to: the dNSName alternative shall be a fully-qualified domain name (FQDN). The domain name shall be in the syntax as specified by section 2.3.1 of IETF RFC 5890 meaning that a domain name is a sequence of labels in the letters, digits, hyphen (LDH) format separated by dots. A label may be in one of two formats: a) All characters in the label are from the Basic Latin collection as defined by ISO/IEC 10646 (i.e., having code points in the ranges 002D, 0030-0039, 0041-005A and 0061-007A) and it does not start with "xn--". The maximum length is 63 octets. b) It is an A-label as defined in IETF RFC 5890, i.e., it starts with the "xn--" and is a U-label converted to valid ASCII characters as in item a) using the Punycode algorithm defined by IETF RFC 3492. The converted string shall be maximum 59 octets. To be valid, it shall be possible for an A-label to be converted to a valid U-label. The U-label is as also defined in IETF RFC 5890. NOTE 1 – An A-label is normally not human-readable. Again preventing anything other than letters, digits, and hyphens. Cordialement, Erwann Abalea Le 21 mars 2016 à 14:08, Peter Bowen <[email protected]<mailto:[email protected]>> a écrit : On Mar 21, 2016, at 4:39 AM, Gervase Markham <[email protected]<mailto:[email protected]>> wrote: On 21/03/16 11:23, Rob Stradling wrote: Are the things we put in certificates hostnames? Given that SSL is for connecting to internet hosts, it would seem to me that they are. Clue me in by explaining what I'm missing. "You've entered a special hell. It is dark and scary. You are likely to be eaten by a grue." https://www.mail-archive.com/[email protected]/msg02548.html Can someone give me a concrete example of why someone would want an _ in a hostname in a cert? An all-Microsoft shop using it for an internal name which nevertheless was an FQDN? my_server.corp.fooco.com? _ is allowed at the DNS protocol level, so it works in many cases. See the following (pulled from CT logs): myaccount_ca.kelloggsnutrition.com office_eygelshoven.laurametaal.nl dr_mail.ncr.com All of these have public A records with what appear to be public IPs. Given this, they presumably work with many TLS clients. Thanks, Peter _______________________________________________ Public mailing list [email protected]<mailto:[email protected]> https://cabforum.org/mailman/listinfo/public
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
