[cabfpub] rfc822Names and otherNames
Jeremy Rowley
jeremy.rowley at digicert.com
Wed Dec 14 06:13:48 UTC 2016
Currently the baseline requirements prohibit use of anything except dNSNames
and iPAddresses (see Section 7.1.4.2.1). However, I do not think the
browsers actually process any of the other General Names, such as rfc822Name
and otherName. I do know of one standard that uses otherNames for
displaying friendly names in Wireless devices. Although the certificate
policy isn't a public document (that I could find), information is available
here: https://www.wi-fi.org/certification/certificate-authority-vendors. We
also receive requests from customers to include email addresses in these
certs. We deny these requests as being against the BRs.
Because browsers do not process otherNames and rfc822names, I don't think
the same security risks identified with dNSNames and iPAddresses exist with
the other two name types. Therefore, I'd like to modify the baseline
requirements to permit other name types. Does anyone else see a need for
this? Are there risks in permitting the additional names that I'm not aware
of?
Jeremy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161214/fb084efd/attachment-0002.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20161214/fb084efd/attachment.p7s>
More information about the Public
mailing list