CA/Forbidden or Problematic Practices: Difference between revisions

CA/Forbidden or Problematic Practices (view source)

771 bytes added , 8 March 2010

Confirmed users, Administrators

5,526

edits

@@ Line 162: / Line 162: @@
 Only data that has been verified to be correct should be included in a certificate. All information that is supplied by the requester must be verified to be correct before it may be included in the certificate. For example, for SSL certificates, alternative names need to be validated just as well as the subject. And for email certificates, if only the email address of the certificate subscriber is verified, then the CN should not include any unverified element that the subscriber supplied.
+=== DNS names in SANs ===
+It would be appropriate for Mozilla CA policy to mandate that CAs put all DNS names for a cert into SANs.  It would not be necessary to go beyond that and disallow CAs to ALSO ADDITIONALLY put one DNS name in the subject common name for the benefit of VERY old (more than 12 year old) browsers that don't recognize SANs.  It is only necessary to make it clear that ALL the DNS names (not all but one) must go into the SAN.
+Some CAs mistakenly believe that one primary DNS name should go into the Subject Common Name and all the others into the SAN.  That's wrong.  ALL should go into the SAN.
+Then, modern browsers should stop paying attention to Subject common names. Doesn't matter what CAs put there as long as browsers don't look there.