Jean-Marc Desperrier wrote: > Michael Ströder wrote: >> [...] >> RFC 2818 (only INFORMATIONAL) references RFC 2459 concerning matching >> rules which was obsoleted by RFC 3280 which was recently obsoleted by >> RFC 5280. RFC 5280 references "Preferred name syntax" in RFC 1034. >> >> Glancing over these documents I found no provision that the dNSName in >> subjectAltName MUST specify a fully-qualified domain name. But maybe >> this issue should raised on the ietf-pkix mailing list. > > There's no reason to forbid at that level issuance of certificates that > are intended to be used only on an intranet.
Well, if there are doubts whether https://de/ points to a A/CNAME record in the .de top-level domain or resolves to a local server (by DNS adding search suffix) and is therefore treated as equivalent to https://de.example.test/ then the TLS standard should say something about this. Also matching rules for dNSName are affected. > It should be more the policy of the CA that should either refuse to > issue such certificates, or require a written agreement that they are > intended only for intranet use. Nelson was asking for adding an additional provision to Mozilla's policy. Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
