[cabfpub] Proposed new ballot on IP Addresses in SANs

Ryan Sleevi sleevi at google.com
Thu Apr 21 14:48:55 UTC 2016

On Thu, Apr 21, 2016 at 7:30 AM, Ryan Sleevi <sleevi at google.com> wrote:
> I'm afraid you've misunderstood my concern. An implementation on the
> client that enforces RFC5280 here will rightfully reject such certificates,
> as the labels to not conform to the LDH rule - that is, a domain name
> constructed entirely of numbers is an invalid hostname, the dNSName field
> should only contain valid hostnames, and such are rejected.

As a clear and concrete example:

While Chrome is planning to do the same, it highlights how 'blessing' such
certificates enables further fragmentation of the WebPKI, by encouraging
more "exceptions" to RFC5280. With nameConstraints being non-critical,
there were no identified compatibility risks, and thus was not seen as an
issue. Here, I've given a clear example of a compatibility risk. And while
we can argue that Mozilla could update their code, why should Mozilla bear
the burden rather than Microsoft, for the problem of Microsoft's creation?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160421/fbaeceb1/attachment-0003.html>

More information about the Public mailing list