[cabfpub] Proposed new ballot on IP Addresses in SANs

[Ryan Sleevi]

On Sat, Apr 16, 2016 at 7:52 PM, Wayne Thayer <wthayer at godaddy.com> wrote:

> Does this mean a 'certificate containing an IP address in the CN and only
> that same IP address encoded as IPAddress in the first SAN entry?' In
> addition, does it imply:
>
> - no other SAN entries will be recognized, due to a different
> compatibility issue (Firefox?)
>
I'm not sure why you mentioned Firefox.

The compatibility issue is simple, and goes back to both RFC 2818 / RFC
6125 - when a sAN of dNSName is present, the commonName should be ignored.
If a sAN of dNSName is present, even Windows will ignore the commonName.

(There were several buggy implementations that did not follow this
strictly, but I would hardly find it acceptable for a CA to propose to
exploit those security vulnerabilities to sell certificates)

> - The cert can only support a single IP (only a single CN is allowed)
>
It can only support a single IP *for those Windows systems*. Other
platforms will support multiple iPAddress SANs, as does Windows 10.

> - Can't deprecate CN as long as this workaround is required
>
Define "required". It relies on exploiting not just a lack of
functionality, but one with known security vulnerabilities. It could
equally be argued that such certificates shouldn't be supported - that we
shouldn't be encouraging the issuance of certificates that rely on buggy
behaviour.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160417/a29bbfd5/attachment-0003.html>