[cabfpub] Defining BR scope
Rob Stradling
rob.stradling at comodo.com
Tue Feb 2 05:33:56 MST 2016
On 02/02/16 12:16, Gervase Markham wrote:
> On 01/02/16 18:15, Rob Stradling wrote:
>> Do any modern browsers still match domain names and IP addresses against
>> the Subject Common Name?
>
> Yes, all of them AIUI.
>
>> If so, are we anywhere near the point where
>> they could stop doing this?
>
> Well, we mandated that SANs should mirror CN quite a while back, so
> there may be scope for this soon for publicly-trusted certs. I believe
> Ryan had some views here...
>
>> I'm wondering if we could define the scope of the BRs to consider not
>> just the EKU extension, but also the SAN extension. (I forget if this
>> has been proposed previously - apologies if it has).
>
> This does run into the "protecting people with down-level revisions of
> software" problem.
How well are we protecting people with down-level revisions of software
today though?
I don't think what I suggested would make the situation any worse for
people with down-level versions, but it would improve the situation for
people with current versions.
That'd be better than continuing to do nothing, wouldn't it?
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
More information about the Public
mailing list