[cabfpub] Ballot 92 reviewed
Gervase Markham
gerv at mozilla.org
Fri Oct 26 02:21:30 MST 2012
On 25/10/12 22:07, Jeremy Rowley wrote:
> A certificate with a non-FQDN or private IP address is essentially
> non-verified if the certificate lacks organization details.
I disagree with that statement; I would say that it has been linked to
an owner if it contains at least one SAN (or CN) value which is fully
qualified. Which I believe is the intent of the changes to section 9.2.2.
> *Section 10.3 – Information Requirements*
>
> This change is to clarify that at least one subjectAltName extension
> entry is required. CN was deprecated in v1.0. This change furthers
> the deprecation by shifting domain name entries into the
> subjectAltName extension.
I am definitely in favour of this.
> By requiring wildcard characters in only the complete left-most
> label, the forum’s practices will conform to the various RFCs already
> created and prevent a possible attack.
I think it also corresponds to what modern browsers allow.
Gerv
More information about the Public
mailing list