<div style="font-family: arial, helvetica, sans-serif; font-size: 10pt">On Thu, Nov 15, 2012 at 2:10 PM, Eddy Nigg (StartCom Ltd.) <span dir="ltr"><<a href="mailto:eddy_nigg@startcom.org" target="_blank">eddy_nigg@startcom.org</a>></span> wrote:<br>
<div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<br>
On 11/15/2012 11:52 PM, From Rich Smith:
<div class="im"><blockquote type="cite">
<div>
<p class="MsoNormal"><span style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1f497d">Since
many clients and servers will still choke on a cert with no
Common Name.</span></p>
</div>
</blockquote>
<br></div>
Rich, can you please give me real examples of commonly used browsers
and servers that wouldn't work? Much appreciated.<br>
<br>
<div>
<table border="0" cellpadding="0" cellspacing="0">
<tbody>
<tr>
<td colspan="2">Regards </td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
<tr>
<td>Signer: </td>
<td>Eddy Nigg, COO/CTO</td>
</tr>
<tr>
<td> </td>
<td><a href="http://www.startcom.org" target="_blank">StartCom Ltd.</a></td>
</tr>
<tr>
<td>XMPP: </td>
<td><a>startcom@startcom.org</a></td>
</tr>
<tr>
<td>Blog: </td>
<td><a href="http://blog.startcom.org" target="_blank">Join the Revolution!</a></td>
</tr>
<tr>
<td>Twitter: </td>
<td><a href="http://twitter.com/eddy_nigg" target="_blank">Follow Me</a></td>
</tr>
<tr>
<td colspan="2"> </td>
</tr>
</tbody>
</table>
</div>
<br>
</div>
<br>_______________________________________________<br>
Public mailing list<br>
<a href="mailto:Public@cabforum.org">Public@cabforum.org</a><br>
<a href="https://cabforum.org/mailman/listinfo/public" target="_blank">https://cabforum.org/mailman/listinfo/public</a><br>
<br></blockquote></div><br><div>I don't know if the volume is many, but I have seen a variety of vendor-proprietary implementations that behave as Rich describes.</div><div><br></div><div>However, I don't think think the volume of affected clients matter - the whole point of permitting entries in the CN (in addition to the SAN) is to support such clients.</div>
<div><br></div><div>For any <b>new</b> client, which supports SAN, what benefits does this provide / security threats does this address?</div><div> - I would suggest none, since any SAN-supporting client will ignore the CN</div>
<div><br></div><div>For any <b>old</b> client, which does not support SAN, what benefits does this provide / security threats does this address?</div><div> - Given that internal IPs / hostnames are still permissible in the SAN, I would suggest none.</div>
<div><br></div><div><br></div><div>I'm certainly sympathetic to the argument "The UI [might be] ambiguous", but I think that's a different problem, and arguably address[ed/able] today by requiring the value of the CN match one of the values of the SANs, so it remains unclear to me.</div>
</div>