On Wed, Apr 01, 2026 at 10:05:57PM -0400, Jeffrey Walton wrote: > On Wed, Apr 1, 2026 at 6:45 PM Nico Williams <[email protected]> wrote: > > But also: how much does this differ from changing the Chrome Root > > Program policy to say that intermediate CAs chaining to WebPKI roots can > > only issue EE certs with clientAuth when they have only dNSName SANs > > (and either empty DNs or just CN=<FQDN>)? Because this alternative is > > much cheaper in terms of code that needs to change. > > Regarding just "just CN=<FQDN>", that's a CA/BF Baseline Requirement > (BR) violation. A name must always appear in the SAN. If a name is > present in the CN, then it must be duplicated in the SAN, too.
I meant "just" as in what's in the subject, not "no SAN". I should have been clearer, but I thought "just" related to what's in the subject name given that the alternative had been "empty DN". _______________________________________________ TLS mailing list -- [email protected] To unsubscribe send an email to [email protected]
