[cabfpub] Defining BR scope

Rob Stradling rob.stradling at comodo.com
Tue Feb 2 12:33:56 UTC 2016


On 02/02/16 12:16, Gervase Markham wrote:
> On 01/02/16 18:15, Rob Stradling wrote:
>> Do any modern browsers still match domain names and IP addresses against
>> the Subject Common Name?
>
> Yes, all of them AIUI.
>
>> If so, are we anywhere near the point where
>> they could stop doing this?
>
> Well, we mandated that SANs should mirror CN quite a while back, so
> there may be scope for this soon for publicly-trusted certs. I believe
> Ryan had some views here...
>
>> I'm wondering if we could define the scope of the BRs to consider not
>> just the EKU extension, but also the SAN extension.  (I forget if this
>> has been proposed previously - apologies if it has).
>
> This does run into the "protecting people with down-level revisions of
> software" problem.

How well are we protecting people with down-level revisions of software 
today though?

I don't think what I suggested would make the situation any worse for 
people with down-level versions, but it would improve the situation for 
people with current versions.

That'd be better than continuing to do nothing, wouldn't it?

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online




More information about the Public mailing list