[cabfpub] Ballot 92 - Subject Alternative Names

Ryan Sleevi sleevi at google.com
Thu Nov 15 22:26:33 UTC 2012

On Thu, Nov 15, 2012 at 2:10 PM, Eddy Nigg (StartCom Ltd.) <
eddy_nigg at startcom.org> wrote:

> On 11/15/2012 11:52 PM, From Rich Smith:
>  Since many clients and servers will still choke on a cert with no Common
> Name.
> Rich, can you please give me real examples of commonly used browsers and
> servers that wouldn't work? Much appreciated.
>   Regards      Signer:  Eddy Nigg, COO/CTO    StartCom Ltd.<http://www.startcom.org>
> XMPP:  startcom at startcom.org  Blog:  Join the Revolution!<http://blog.startcom.org>
> Twitter:  Follow Me <http://twitter.com/eddy_nigg>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
I don't know if the volume is many, but I have seen a variety of
vendor-proprietary implementations that behave as Rich describes.

However, I don't think think the volume of affected clients matter - the
whole point of permitting entries in the CN (in addition to the SAN) is to
support such clients.

For any *new* client, which supports SAN, what benefits does this provide /
security threats does this address?
 - I would suggest none, since any SAN-supporting client will ignore the CN

For any *old* client, which does not support SAN, what benefits does this
provide / security threats does this address?
  - Given that internal IPs / hostnames are still permissible in the SAN, I
would suggest none.

I'm certainly sympathetic to the argument "The UI [might be] ambiguous",
but I think that's a different problem, and arguably address[ed/able] today
by requiring the value of the CN match one of the values of the SANs, so it
remains unclear to me.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20121115/2c8cb1bf/attachment-0004.html>

More information about the Public mailing list