[cabfpub] BR "corrections" ballot

[Rob Stradling]

On 21/03/16 10:59, Gervase Markham wrote:
> Hi Peter,
>
> On 19/03/16 16:26, Peter Bowen wrote:
>> 3) Explicitly allow the commonName in the Subject to contain domain
>> names encoded using U-labels (meaning a certificate can have
>> "xn--vernderung-s5a.com” in the SAN and “veränderung.com” in the CN)
>
> Can you explain this one a bit more? It seems to make sense to me that
> the CN value is always exactly duplicated in the SAN, even if other
> values are also present. Are you proposing relaxing that requirement?

Hi Gerv.  This has been common practice for years:

See https://crt.sh/?cablint=247

See also this thread from a couple of months ago:
https://cabforum.org/pipermail/public/2016-January/006631.html

>> 4) Allow “_” in FQDNs
>
> Domain names may have underscores, but hostnames may not, at least
> according to:
> http://stackoverflow.com/questions/2180465/can-domain-name-subdomains-have-an-underscore-in-it
> Are the things we put in certificates hostnames? Given that SSL is for
> connecting to internet hosts, it would seem to me that they are. Clue me
> in by explaining what I'm missing.

"You've entered a special hell. It is dark and scary. You are likely to 
be eaten by a grue."

https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg02548.html

>> Does anyone have suggestions of other things that should be
>> considered for a BR corrections ballot or think any of my suggested
>> items should be a separate ballot?
>
> Looking at
> https://bugzilla.cabforum.org/buglist.cgi?bug_status=__open__&product=Baseline%20Requirements
> how about:
>
> https://bugzilla.cabforum.org/show_bug.cgi?id=17
> https://bugzilla.cabforum.org/show_bug.cgi?id=19
> https://bugzilla.cabforum.org/show_bug.cgi?id=28
> and perhaps
> https://bugzilla.cabforum.org/show_bug.cgi?id=2
>
> Gerv

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online