[cabfpub] Proposed new ballot on IP Addresses in SANs
Ryan Sleevi
sleevi at google.com
Thu Apr 21 14:48:55 UTC 2016
On Thu, Apr 21, 2016 at 7:30 AM, Ryan Sleevi <sleevi at google.com> wrote:
>
> I'm afraid you've misunderstood my concern. An implementation on the
> client that enforces RFC5280 here will rightfully reject such certificates,
> as the labels to not conform to the LDH rule - that is, a domain name
> constructed entirely of numbers is an invalid hostname, the dNSName field
> should only contain valid hostnames, and such are rejected.
>
As a clear and concrete example:
http://mxr.mozilla.org/mozilla-central/source/security/pkix/lib/pkixnames.cpp#1880
http://mxr.mozilla.org/mozilla-central/source/security/pkix/lib/pkixnames.cpp#2017
While Chrome is planning to do the same, it highlights how 'blessing' such
certificates enables further fragmentation of the WebPKI, by encouraging
more "exceptions" to RFC5280. With nameConstraints being non-critical,
there were no identified compatibility risks, and thus was not seen as an
issue. Here, I've given a clear example of a compatibility risk. And while
we can argue that Mozilla could update their code, why should Mozilla bear
the burden rather than Microsoft, for the problem of Microsoft's creation?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160421/fbaeceb1/attachment-0003.html>
More information about the Public
mailing list