[cabfpub] BR "corrections" ballot
Peter Bowen
pzb at amzn.com
Mon Mar 21 06:08:36 MST 2016
> On Mar 21, 2016, at 4:39 AM, Gervase Markham <gerv at mozilla.org> wrote:
>
> On 21/03/16 11:23, Rob Stradling wrote:
>
>>> Are the things we put in certificates hostnames? Given that SSL is for
>>> connecting to internet hosts, it would seem to me that they are. Clue me
>>> in by explaining what I'm missing.
>>
>> "You've entered a special hell. It is dark and scary. You are likely to
>> be eaten by a grue."
>>
>> https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg02548.html
>
> Can someone give me a concrete example of why someone would want an _ in
> a hostname in a cert? An all-Microsoft shop using it for an internal
> name which nevertheless was an FQDN? my_server.corp.fooco.com?
_ is allowed at the DNS protocol level, so it works in many cases. See the following (pulled from CT logs):
myaccount_ca.kelloggsnutrition.com
office_eygelshoven.laurametaal.nl
dr_mail.ncr.com
All of these have public A records with what appear to be public IPs. Given this, they presumably work with many TLS clients.
Thanks,
Peter
More information about the Public
mailing list