[cabfpub] Ballot 92 reviewed

Gervase Markham gerv at mozilla.org
Fri Oct 26 02:21:30 MST 2012


On 25/10/12 22:07, Jeremy Rowley wrote:
> A certificate with a non-FQDN or private IP address is essentially
> non-verified if the certificate lacks organization details.

I disagree with that statement; I would say that it has been linked to
an owner if it contains at least one SAN (or CN) value which is fully
qualified. Which I believe is the intent of the changes to section 9.2.2.

> *Section 10.3 – Information Requirements*
>
> This change is to clarify that at least one subjectAltName extension
>  entry is required.  CN was deprecated in v1.0.  This change furthers
> the deprecation by shifting domain name entries into the
> subjectAltName extension.

I am definitely in favour of this.

> By requiring wildcard characters in only the complete left-most
> label, the forum’s practices will conform to the various RFCs already
> created and prevent a possible attack.

I think it also corresponds to what modern browsers allow.

Gerv


More information about the Public mailing list