[cabfpub] Defining BR scope

Peter Bowen pzb at amzn.com
Tue Feb 2 12:21:53 UTC 2016


> On Feb 2, 2016, at 4:16 AM, Gervase Markham <gerv at mozilla.org> wrote:
> 
> On 01/02/16 18:15, Rob Stradling wrote:
>> Do any modern browsers still match domain names and IP addresses against 
>> the Subject Common Name?
> 
> Yes, all of them AIUI.

Do they do this in the presence of a SAN extension or just the absence?

>> If so, are we anywhere near the point where 
>> they could stop doing this?
> 
> Well, we mandated that SANs should mirror CN quite a while back, so
> there may be scope for this soon for publicly-trusted certs. I believe
> Ryan had some views here...
> 
>> I'm wondering if we could define the scope of the BRs to consider not 
>> just the EKU extension, but also the SAN extension.  (I forget if this 
>> has been proposed previously - apologies if it has).
> 
> This does run into the "protecting people with down-level revisions of
> software" problem.

What about keyUsage?  Are browsers checking that?

Thanks,
Peter




More information about the Public mailing list