[cabfpub] Ballot 92 - Subject Alternative Names

Gervase Markham gerv at mozilla.org
Fri Nov 16 03:10:35 MST 2012


On 15/11/12 21:52, Rich Smith wrote:
> Since many clients and servers will still choke on a cert with no Common
> Name.  Prohibiting Reserved IPs and Internal host names in the CN field
> effectively prohibits single site certificates for Reserved IPs and
> internal names.  What's the reasoning behind this?

Rich,

Can you help me be absolutely clear about what the problem is here? Is 
the problem:

a) These clients expect to see a Common Name field, and will choke if 
one is not present; or

b) These clients do not support SAN, and so only look in the Common Name 
field?

If the answer is a), then it's fine to prohibit Reserved IPs and 
Internal host names in the CN field because you can just put a validated 
FQDN owned by the company in question in the CN field and put the 
Reserved IP or internal host name in the SAN.

If the answer is b), then we do have a potential problem.

Gerv


More information about the Public mailing list