[cabfpub] BR "corrections" ballot

Gervase Markham gerv at mozilla.org
Mon Mar 21 11:39:27 UTC 2016

On 21/03/16 11:23, Rob Stradling wrote:
> Hi Gerv.  This has been common practice for years:
> See https://crt.sh/?cablint=247

Well, it may have been, but that doesn't mean it's a) currently
BR-compliant, or b) a good idea :-)

> See also this thread from a couple of months ago:
> https://cabforum.org/pipermail/public/2016-January/006631.html

What would be the downside of saying that all domain names in
certificates have to be in A-label form? That seems like the simplest
thing, if nothing breaks. This seems to be what is being hinted at in
RFC 5280, although as noted it doesn't say that explicitly.

>> Are the things we put in certificates hostnames? Given that SSL is for
>> connecting to internet hosts, it would seem to me that they are. Clue me
>> in by explaining what I'm missing.
> "You've entered a special hell. It is dark and scary. You are likely to
> be eaten by a grue."
> https://www.mail-archive.com/dev-security-policy@lists.mozilla.org/msg02548.html

Can someone give me a concrete example of why someone would want an _ in
a hostname in a cert? An all-Microsoft shop using it for an internal
name which nevertheless was an FQDN? my_server.corp.fooco.com?


More information about the Public mailing list