[cabfpub] Proposed new ballot on IP Addresses in SANs
Rick Andrews
Rick_Andrews at symantec.com
Fri Apr 15 16:46:05 MST 2016
Richard, some of us CAs have “gotten along” by issuing certs that violate this part of the BRs. Given that customers can only get certs that work in Windows if we violate this part of the BRs, and given that Microsoft isn’t able or willing to patch all old versions of Windows to address this, I’d like to legalize what we’ve been forced to do.
-Rick
From: Richard Barnes [mailto:rbarnes at mozilla.com]
Sent: Friday, April 15, 2016 3:43 PM
To: Rick Andrews <Rick_Andrews at symantec.com>
Cc: public at cabforum.org
Subject: Re: [cabfpub] Proposed new ballot on IP Addresses in SANs
Rick: This seems pretty abusive. Given that apparently you've gotten along without this so far, what's the compelling use case?
On Fri, Apr 15, 2016 at 6:09 PM, Rick Andrews <Rick_Andrews at symantec.com <mailto:Rick_Andrews at symantec.com> > wrote:
It’s come to our attention that all versions of Windows prior to Windows 10
cannot handle SANs of type IPAddress. Those older versions correctly handle
IP addresses in SANs if they are of type dNSName. Jody from Microsoft has
confirmed this.
I’d like to propose a ballot to allow IP addresses in SANs of type dNSName
to allow for this. Jody has said he would endorse. I need another endorser.
The proposed change is this (added text between + signs):
7.1.4.2.1 Subject Alternative Name Extension
Each entry MUST be either a dNSName containing the Fully‐Qualified Domain
Name +or the IP address of a server,+ or an iPAddress containing the IP
address of a server
-Rick
_______________________________________________
Public mailing list
Public at cabforum.org <mailto:Public at cabforum.org>
https://cabforum.org/mailman/listinfo/public
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20160415/4ceb3c73/attachment-0001.html
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5749 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20160415/4ceb3c73/attachment-0001.bin
More information about the Public
mailing list