[cabfpub] Ballot 92 - Subject Alternative Names
Gervase Markham
gerv at mozilla.org
Fri Nov 16 10:15:23 UTC 2012
On 15/11/12 17:27, Steve Roylance wrote:
> Contents: This extension MUST contain at least one entry that is either
> a Fully-Qualified Domain Name or Public IP Address. Each subjectAltName
> entry MUST either be a Domain Name or an IP Address. The CA MUST confirm
> the Applicant’s control of each dNSName or Public IP Address entry in
> accordance with Section 11.1.
This bit, I agree with.
The rest - that certs with internal domain names must be OV - I do not,
because I don't think it measurably adds to security. People on LANs who
are using "https://mail/" are not going to check the O field in the
certificate viewer every time to make sure it's their company's
https://mail/ cert rather than someone else's. And Mozilla is not going
to start putting that field in primary UI for non-EV certs, for
long-rehearsed reasons.
The above rule at least allows browsers to programmatically display an
ownership-validated FQDN as an "identifier" even when accessing an
internal site. I filed a bug on us doing that, although we have no plans
or resources to implement it, and my position has been that we shouldn't
force CAs to do the work to include the info until we have actually
implemented it. But if you are keen to force yourselves, I'm not going
to object :-)
However, given that the ballot stands or falls as a whole, we will be
voting against. (This should not come as a surprise to its proponents; I
think we have exhausted the discussion on the topic and must agree to
disagree, and see what everyone else thinks when the vote comes :-)
Gerv
More information about the Public
mailing list