[cabfpub] Defining BR scope

Gervase Markham gerv at mozilla.org
Tue Feb 2 12:16:57 UTC 2016


On 01/02/16 18:15, Rob Stradling wrote:
> Do any modern browsers still match domain names and IP addresses against 
> the Subject Common Name?

Yes, all of them AIUI.

> If so, are we anywhere near the point where 
> they could stop doing this?

Well, we mandated that SANs should mirror CN quite a while back, so
there may be scope for this soon for publicly-trusted certs. I believe
Ryan had some views here...

> I'm wondering if we could define the scope of the BRs to consider not 
> just the EKU extension, but also the SAN extension.  (I forget if this 
> has been proposed previously - apologies if it has).

This does run into the "protecting people with down-level revisions of
software" problem.

Gerv



More information about the Public mailing list