[cabfpub] Ballot 92 - Subject Alternative Names

Gervase Markham gerv at mozilla.org
Fri Nov 16 10:15:23 UTC 2012


On 15/11/12 17:27, Steve Roylance wrote:
> Contents: This extension MUST contain at least one entry that is either
> a Fully-Qualified Domain Name or Public IP Address. Each subjectAltName
> entry MUST either be a Domain Name or an IP Address. The CA MUST confirm
> the Applicant’s control of each dNSName or Public IP Address entry in
> accordance with Section 11.1.

This bit, I agree with.

The rest - that certs with internal domain names must be OV - I do not, 
because I don't think it measurably adds to security. People on LANs who 
are using "https://mail/" are not going to check the O field in the 
certificate viewer every time to make sure it's their company's 
https://mail/ cert rather than someone else's. And Mozilla is not going 
to start putting that field in primary UI for non-EV certs, for 
long-rehearsed reasons.

The above rule at least allows browsers to programmatically display an 
ownership-validated FQDN as an "identifier" even when accessing an 
internal site. I filed a bug on us doing that, although we have no plans 
or resources to implement it, and my position has been that we shouldn't 
force CAs to do the work to include the info until we have actually 
implemented it. But if you are keen to force yourselves, I'm not going 
to object :-)

However, given that the ballot stands or falls as a whole, we will be 
voting against. (This should not come as a surprise to its proponents; I 
think we have exhausted the discussion on the topic and must agree to 
disagree, and see what everyone else thinks when the vote comes :-)

Gerv




More information about the Public mailing list