[cabfpub] Defining BR scope
Gervase Markham
gerv at mozilla.org
Tue Feb 2 12:16:57 UTC 2016
On 01/02/16 18:15, Rob Stradling wrote:
> Do any modern browsers still match domain names and IP addresses against
> the Subject Common Name?
Yes, all of them AIUI.
> If so, are we anywhere near the point where
> they could stop doing this?
Well, we mandated that SANs should mirror CN quite a while back, so
there may be scope for this soon for publicly-trusted certs. I believe
Ryan had some views here...
> I'm wondering if we could define the scope of the BRs to consider not
> just the EKU extension, but also the SAN extension. (I forget if this
> has been proposed previously - apologies if it has).
This does run into the "protecting people with down-level revisions of
software" problem.
Gerv
More information about the Public
mailing list