[cabfpub] Question about CN and SAN encoding
Ryan Sleevi
sleevi at google.com
Wed May 23 07:12:47 MST 2018
On Wed, May 23, 2018 at 9:26 AM, García Jimeno, Oscar via Public <
public at cabforum.org> wrote:
> Hi, we need to issue a certificate for www.gueñes.eus. According to
> CABForum requirements, the dnsName, if included in the CN, must match the
> SAN of the certificate. Our problem is that according to RFC5280 the
> dnsName in the SAN must be encoded with IA5String, and can’t include not
> ASCII 7-bits characters (like ‘ñ’). If we encode the CN using UTF-8 (
> www.gueñes.eus) and the SAN using IA5String (www.xn--guees-qta.eus), then
> tools like zlint or https://misissued.com/batch/1/ don’t accept them as
> valid, because they see them as different names (www.gueñes.eus in CN vs
> www.xn--guees-qta.eus in SAN). Shall we issue the CN as
> www.xn--guees-qta.eus like the SAN, or can we have different values
> between CN and SAN?
>
>
>
> Thanks
>
>
>
> *.eus** gara !*
>
> horregatik orain nire helbide elektronikoa da:
>
> por eso mi dirección de correo electrónico ahora es: o-garcia at izenpe.eus
>
>
>
> *Oscar García*
>
> *CISSP, CISM*
>
>
>
> [image: Descripción: Descripción: firma_email_Izenpe_eus]
>
> ERNE! Baliteke mezu honen zatiren bat edo mezu osoa legez babestuta
> egotea. Mezua badu bere hartzailea. Okerreko helbidera heldu bada (helbidea
> gaizki idatzi, transmisioak huts egin) eman abisu igorleari, korreo honi
> erantzuna. KONTUZ!
> ATENCION! Este mensaje contiene informacion privilegiada o confidencial a
> la que solo tiene derecho a acceder el destinatario. Si usted lo recibe por
> error le agradeceriamos que no hiciera uso de la informacion y que se
> pusiese en contacto con el remitente.
>
>
>
> [image: Descripción: cid:image001.png at 01D2DDEC.B8FB6830]
>
>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
There are no known compatibility issues in having the CN match the A-Label
form (that is, xn--).
There are no known display issues in having the CN match the A-Label form
(that is, xn--).
There are known display and compatibility issues in having the CN use the
U-Label form. Notably, Microsoft Windows CryptoAPI is the only API that is
known to translate the U-Label into A-Label. Software which does not
support SAN traditionally expects a byte-for-byte match with the hostname,
which will be presented in its A-Label form.
Unfortunately, some CAs voted against providing this guidance within the
BRs, and thus the ballot (
https://cabforum.org/2017/07/26/ballot-202-underscore-wildcard-characters/
) failed. No further details have been provided as to the basis of the
objecting CAs, so the Forum is left with little input as how to make this
acceptable to them.
The ballot could otherwise be resubmitted unchanged.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/public/attachments/20180523/bce77cd4/attachment-0001.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image001.jpg
Type: image/jpeg
Size: 9540 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20180523/bce77cd4/attachment-0001.jpg>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: image002.png
Type: image/png
Size: 23964 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20180523/bce77cd4/attachment-0001.png>
More information about the Public
mailing list