[cabfpub] Defining BR scope
Peter Bowen
pzb at amzn.com
Tue Feb 2 12:21:53 UTC 2016
> On Feb 2, 2016, at 4:16 AM, Gervase Markham <gerv at mozilla.org> wrote:
>
> On 01/02/16 18:15, Rob Stradling wrote:
>> Do any modern browsers still match domain names and IP addresses against
>> the Subject Common Name?
>
> Yes, all of them AIUI.
Do they do this in the presence of a SAN extension or just the absence?
>> If so, are we anywhere near the point where
>> they could stop doing this?
>
> Well, we mandated that SANs should mirror CN quite a while back, so
> there may be scope for this soon for publicly-trusted certs. I believe
> Ryan had some views here...
>
>> I'm wondering if we could define the scope of the BRs to consider not
>> just the EKU extension, but also the SAN extension. (I forget if this
>> has been proposed previously - apologies if it has).
>
> This does run into the "protecting people with down-level revisions of
> software" problem.
What about keyUsage? Are browsers checking that?
Thanks,
Peter
More information about the Public
mailing list