[cabfpub] BR "corrections" ballot

Rob Stradling rob.stradling at comodo.com
Mon Mar 21 11:23:16 UTC 2016

On 21/03/16 10:59, Gervase Markham wrote:
> Hi Peter,
> On 19/03/16 16:26, Peter Bowen wrote:
>> 3) Explicitly allow the commonName in the Subject to contain domain
>> names encoded using U-labels (meaning a certificate can have
>> "xn--vernderung-s5a.com” in the SAN and “veränderung.com” in the CN)
> Can you explain this one a bit more? It seems to make sense to me that
> the CN value is always exactly duplicated in the SAN, even if other
> values are also present. Are you proposing relaxing that requirement?

Hi Gerv.  This has been common practice for years:

See https://crt.sh/?cablint=247

See also this thread from a couple of months ago:

>> 4) Allow “_” in FQDNs
> Domain names may have underscores, but hostnames may not, at least
> according to:
> http://stackoverflow.com/questions/2180465/can-domain-name-subdomains-have-an-underscore-in-it
> Are the things we put in certificates hostnames? Given that SSL is for
> connecting to internet hosts, it would seem to me that they are. Clue me
> in by explaining what I'm missing.

"You've entered a special hell. It is dark and scary. You are likely to 
be eaten by a grue."


>> Does anyone have suggestions of other things that should be
>> considered for a BR corrections ballot or think any of my suggested
>> items should be a separate ballot?
> Looking at
> https://bugzilla.cabforum.org/buglist.cgi?bug_status=__open__&product=Baseline%20Requirements
> how about:
> https://bugzilla.cabforum.org/show_bug.cgi?id=17
> https://bugzilla.cabforum.org/show_bug.cgi?id=19
> https://bugzilla.cabforum.org/show_bug.cgi?id=28
> and perhaps
> https://bugzilla.cabforum.org/show_bug.cgi?id=2
> Gerv

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list