Re: [FORGED] Name issues in public certificates

2015-11-18 Thread Peter Bowen
On Wed, Nov 18, 2015 at 2:22 AM, Rob Stradling wrote: > I would also like to get clarification on if/when the underscore character > may be used in each of the name types. Your report seems to flag > underscores as always prohibited (I think), but I expect that some CAs

Re: [FORGED] Name issues in public certificates

2015-11-18 Thread Ryan Sleevi
On Wed, November 18, 2015 8:56 am, Peter Bowen wrote: > On Wed, Nov 18, 2015 at 2:22 AM, Rob Stradling > wrote: > > I would also like to get clarification on if/when the underscore > > character > > may be used in each of the name types. Your report seems to flag > >

Work-in-Progress Version 2.3 of Mozilla CA Cert Policy

2015-11-18 Thread Kathleen Wilson
All, The work-in-progress for version 2.3 of Mozilla's CA Certificate Policy is in github: master repo: https://github.com/mozilla/ca-policy The changes made so far are listed here: https://wiki.mozilla.org/CA:CertificatePolicyV2.3#Changes_Made_to_DRAFT_Version_2.3 Additionally, the policy

Re: Policy Update Proposal -- Refer to BRs for Name Constraints Requirement

2015-11-18 Thread Kathleen Wilson
On 11/5/15 11:00 AM, Kathleen Wilson wrote: On 10/28/15 10:25 AM, Kathleen Wilson wrote: Therefore, this proposal is modified to simplify item #9 of the Inclusion Policy, https://www.mozilla.org/en-US/about/governance/policies/security-group/certs/policy/inclusion/ as follows: ~~ We

Re: [FORGED] Name issues in public certificates

2015-11-18 Thread Peter Bowen
On Wed, Nov 18, 2015 at 10:25 AM, Ryan Sleevi wrote: > On Wed, November 18, 2015 8:56 am, Peter Bowen wrote: >> On Wed, Nov 18, 2015 at 2:22 AM, Rob Stradling >> wrote: >> > I would also like to get clarification on if/when the

RE: [FORGED] Name issues in public certificates

2015-11-18 Thread Richard Wang
We tested IE11, Firefox 42, Chrome 45 on Windows 10, all support IP address only now. So we need to test the old version browsers. I will update soon. Regards, Richard -Original Message- From: dev-security-policy

Re: [FORGED] Name issues in public certificates

2015-11-18 Thread Rob Stradling
Peter, yes, let's discuss that list at CABForum. I would also like to get clarification on if/when the underscore character may be used in each of the name types. Your report seems to flag underscores as always prohibited (I think), but I expect that some CAs would be surprised by that. On

Re: [FORGED] Name issues in public certificates

2015-11-18 Thread Brian Smith
Peter Bowen wrote: > 2) For commonName attributes in subject DNs, clarify that they can only > contain: > - IPv4 address in dotted-decimal notation (specified as IPv4address > from section 3.2.2 of RFC 3986) > - IPv6 address in coloned-hexadecimal notation (specified as >

Re: [FORGED] Name issues in public certificates

2015-11-18 Thread Brian Smith
On Tue, Nov 17, 2015 at 4:40 PM, Richard Wang wrote: > So WoSign only left IP address issue that we added both IP address and DNS > Name since some browser have warning for IP address only in SAN. > Put the IP addresses in the SAN as an iPAddress and then also put them in

Re: [FORGED] Name issues in public certificates

2015-11-18 Thread Peter Bowen
On Wed, Nov 18, 2015 at 5:43 PM, Brian Smith wrote: > Peter Bowen wrote: >> >> 2) For commonName attributes in subject DNs, clarify that they can only >> contain: >> >> - IPv4 address in dotted-decimal notation (specified as IPv4address >> from section