-
Notifications
You must be signed in to change notification settings - Fork 4
/
922.txt
88 lines (65 loc) · 3.97 KB
/
922.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
[10] [DFN[[CODE[[[dNSName]]]]]] は、 [CODE[[[GeneralName]]]] の一種で、
[[インターネット]]の[[ドメイン名]]を表します。
[12] [DFN[[[DNS-ID]]]] とは、型 [CODE[[[dNSName]]]] の [CODE[[[subjectAltName]]]]
エントリーをいいます [SRC[>>11]]。
* 仕様書
[REFS[
- [4] '''[CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]] ([TIME[2015-02-22 15:44:10 +09:00]] 版) <http://tools.ietf.org/html/rfc5280#section-7.2>'''
- [11] [CITE@en[RFC 6125 - Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)]] ([TIME[2015-03-13 22:27:53 +09:00]] 版) <https://tools.ietf.org/html/rfc6125#section-1.8>
]REFS]
* 構文
[5] 値は、 [CODE[[[IA5String]]]] です。
[6] [[IDN]] を[[Aラベル]]に変換してから[[蓄積]]しなければ[['''なりません''']]。
すなわち、 [[IDNA2003]] [CODE[[[ToASCII]]]] [[演算]]を
[CODE[[[UseSTD3ASCIIRules]]]] フラグあり、 [CODE[[[AllowUnassigned]]]]
フラグなしで適用した結果を[[蓄積]]しなければ[['''なりません''']] [SRC[>>4]]。
* 比較
[7] [[大文字・小文字不区別]]で比較しなければ[['''なりません''']] [SRC[>>4]]。
;; [8] 比較対象も比較前に >>6 の通り [[Aラベル]]に変換する必要があります。
* レンダリング
[9] 表示前に [[IDN]] を [[Uラベル]]に変換するべきです。すなわち、
[[IDNA2003]] [CODE[[[ToUnicode]]]] [[演算]]を [CODE[[[UseSTD3ASCIIRules]]]]
フラグあり、 [CODE[[[AllowUnassigned]]]] フラグなしで適用した結果を使うべきです。
[SRC[>>4]]
* メモ
[FIG(quote)[
[FIGCAPTION[
[1] [CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]]
([TIME[2015-02-22 15:44:10 +09:00]] 版)
<http://tools.ietf.org/html/rfc5280#section-4.2.1.6>
]FIGCAPTION]
> When the subjectAltName extension contains a domain name system
> label, the domain name MUST be stored in the dNSName (an IA5String).
> The name MUST be in the "preferred name syntax", as specified by
> Section 3.5 of '''['''RFC1034''']''' and as modified by Section 2.1 of
> '''['''RFC1123''']'''. Note that while uppercase and lowercase letters are
> allowed in domain names, no significance is attached to the case. In
> addition, while the string " " is a legal domain name, subjectAltName
> extensions with a dNSName of " " MUST NOT be used. Finally, the use
> of the DNS representation for Internet mail addresses
> (subscriber.example.com instead of subscriber@example.com) MUST NOT
> be used; such identities are to be encoded as rfc822Name.
]FIG]
[FIG(quote)[
[FIGCAPTION[
[2] [CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]]
([TIME[2015-02-22 15:44:10 +09:00]] 版)
<http://tools.ietf.org/html/rfc5280#section-4.2.1.6>
]FIGCAPTION]
> the semantics of subject alternative names that include
> wildcard characters (e.g., as a placeholder for a set of names) are
> not addressed by this specification. Applications with specific
> requirements MAY use such names, but they must define the semantics.
]FIG]
[FIG(quote)[
[FIGCAPTION[
[3] [CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]]
([TIME[2015-02-22 15:44:10 +09:00]] 版)
<http://tools.ietf.org/html/rfc5280#section-4.2.1.10>
]FIGCAPTION]
> DNS name restrictions are expressed as host.example.com. Any DNS
> name that can be constructed by simply adding zero or more labels to
> the left-hand side of the name satisfies the name constraint. For
> example, www.host.example.com would satisfy the constraint but
> host1.example.com would not.
]FIG]