8
edits
CA/Forbidden or Problematic Practices: Difference between revisions
Jump to navigation
Jump to search
CA/Forbidden or Problematic Practices (view source)
Revision as of 01:41, 5 April 2010
, 5 April 2010Add some bug links.
(Add some bug links.) |
|||
| Line 45: | Line 45: | ||
It is also a problematic practice to issue a certificate with non resolvable DNS or private IP and resolvable DNS adresses together. | It is also a problematic practice to issue a certificate with non resolvable DNS or private IP and resolvable DNS adresses together. | ||
It is not standards compliant for printable ASCII representations of IP addresses to be placed in any certificate field that is intended to hold DNS names, including the subject common name and the DNSName field of the Subject Alternative Names extension. There is a place in a certificate specifically intended to be where IP (v4 or v6) addresses may be placed. It is in the Subject Alternative Names extension. The SubjectAltNames extension has places for both additional DNS names and for IP addresses. The place for IP addresses takes them in binary form, not in printable ASCII (e.g. dotted decimal) form. | It is not standards compliant for printable ASCII representations of IP addresses to be placed in any certificate field that is intended to hold DNS names, including the subject common name and the DNSName field of the Subject Alternative Names extension. There is a place in a certificate specifically intended to be where IP (v4 or v6) addresses may be placed. It is in the Subject Alternative Names extension. The SubjectAltNames extension has places for both additional DNS names and for IP addresses. The place for IP addresses takes them in binary form, not in printable ASCII (e.g. dotted decimal) form. See {{bug|553754}}. | ||
=== Issuing SSL Certificates for Internal Domains === | === Issuing SSL Certificates for Internal Domains === | ||
| Line 187: | Line 187: | ||
Some CAs mistakenly believe that one primary DNS name should go into the Subject Common Name and all the others into the SAN. That's wrong. ALL should go into the SAN. | Some CAs mistakenly believe that one primary DNS name should go into the Subject Common Name and all the others into the SAN. That's wrong. ALL should go into the SAN. | ||
Then, modern browsers should stop paying attention to Subject common names. Doesn't matter what CAs put there as long as browsers don't look there. | Then, modern browsers should stop paying attention to Subject common names ({{bug|552346}}). Doesn't matter what CAs put there as long as browsers don't look there. | ||