[cabfpub] Ballot 92 - Subject Alternative Names
gerv at mozilla.org
Fri Nov 16 10:10:35 UTC 2012
On 15/11/12 21:52, Rich Smith wrote:
> Since many clients and servers will still choke on a cert with no Common
> Name. Prohibiting Reserved IPs and Internal host names in the CN field
> effectively prohibits single site certificates for Reserved IPs and
> internal names. What's the reasoning behind this?
Can you help me be absolutely clear about what the problem is here? Is
a) These clients expect to see a Common Name field, and will choke if
one is not present; or
b) These clients do not support SAN, and so only look in the Common Name
If the answer is a), then it's fine to prohibit Reserved IPs and
Internal host names in the CN field because you can just put a validated
FQDN owned by the company in question in the CN field and put the
Reserved IP or internal host name in the SAN.
If the answer is b), then we do have a potential problem.
More information about the Public