[cabfpub] BR "corrections" ballot

Rob Stradling rob.stradling at comodo.com
Mon Mar 21 12:31:02 UTC 2016

On 21/03/16 11:56, Gervase Markham wrote:
> On 21/03/16 11:49, Rob Stradling wrote:
>> What would be the downside of saying that subject:commonName, if
>> included in the cert, MUST contain either the A-label form or U-label
>> form of one of the SAN:dNSName values?
> Converting using IDNA2003 or IDNA2008? :-))
> In a data structure designed for computer consumption, why would you not
> want to write the computer-readable, as opposed to human-readable,
> version of the label? My security spider-sense tells me that allowing
> multiple "equivalent" forms of a name in a security context, rather than
> requiring a single canonical form, is a good way of getting nasty bugs.

Browsers ignore subject.commonName (for determining whether or not the 
cert is valid for a given domain name) when 1 or more SAN:dNSNames are 
present, right?

How is the encoding of an ignored field "in a security context"?

Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online

More information about the Public mailing list