[cabfpub] Proposed new ballot on IP Addresses in SANs

Richard Barnes rbarnes at mozilla.com
Sat Apr 16 15:12:03 UTC 2016


That seems like an odd redirect, Rick.  You were OK violating the BRs
before, but you aren't now?  Why is this issue being raised now, after
Microsoft has already fixed the problem on current Windows?  Even the
threads Wayne cites are post-Win10.  The rules we make now apply in the
future, and in the future, as people upgrade, this is going to be less and
less of a problem.

As a matter of general practice, legalizing past BR violations is not a
pattern I would like this group to follow.  CAs should not be proactively
violating the BRs in hopes of getting a BR change later.  If they have a
need, they should bring it to the Forum and get the BR change *before* they
take an action that's contrary to the current BRs.

--Richard



On Fri, Apr 15, 2016 at 7:46 PM, Rick Andrews <Rick_Andrews at symantec.com>
wrote:

> Richard, some of us CAs have “gotten along” by issuing certs that violate
> this part of the BRs. Given that customers can only get certs that work in
> Windows if we violate this part of the BRs, and given that Microsoft isn’t
> able or willing to patch all old versions of Windows to address this, I’d
> like to legalize what we’ve been forced to do.
>
>
>
> -Rick
>
>
>
> *From:* Richard Barnes [mailto:rbarnes at mozilla.com]
> *Sent:* Friday, April 15, 2016 3:43 PM
> *To:* Rick Andrews <Rick_Andrews at symantec.com>
> *Cc:* public at cabforum.org
> *Subject:* Re: [cabfpub] Proposed new ballot on IP Addresses in SANs
>
>
>
> Rick: This seems pretty abusive.  Given that apparently you've gotten
> along without this so far, what's the compelling use case?
>
>
>
> On Fri, Apr 15, 2016 at 6:09 PM, Rick Andrews <Rick_Andrews at symantec.com>
> wrote:
>
> It’s come to our attention that all versions of Windows prior to Windows 10
> cannot handle SANs of type IPAddress. Those older versions correctly handle
> IP addresses in SANs if they are of type dNSName. Jody from Microsoft has
> confirmed this.
>
> I’d like to propose a ballot to allow IP addresses in SANs of type dNSName
> to allow for this. Jody has said he would endorse. I need another endorser.
> The proposed change is this (added text between + signs):
>
> 7.1.4.2.1 Subject Alternative Name Extension
> Each entry MUST be either a dNSName containing the Fully‐Qualified Domain
> Name +or the IP address of a server,+ or an iPAddress containing the IP
> address of a server
>
> -Rick
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160416/e2b5bebd/attachment-0003.html>


More information about the Public mailing list