-
Notifications
You must be signed in to change notification settings - Fork 4
/
922.txt
109 lines (78 loc) · 4.96 KB
/
922.txt
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
[10] [DFN[[CODE[[[dNSName]]]]]] は、 [CODE[[[GeneralName]]]] の一種で、
[[インターネット]]の[[ドメイン名]]を表します。
[12] [DFN[[[DNS-ID]]]] とは、型 [CODE[[[dNSName]]]] の [CODE[[[subjectAltName]]]]
エントリーをいいます [SRC[>>11]]。
* 仕様書
[REFS[
- [4] '''[CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]] ([TIME[2015-02-22 15:44:10 +09:00]] 版) <http://tools.ietf.org/html/rfc5280#section-7.2>'''
- [11] [CITE@en[RFC 6125 - Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)]] ([TIME[2015-03-13 22:27:53 +09:00]] 版) <https://tools.ietf.org/html/rfc6125#section-1.8>
- [14] [CITE[[[BR]]]] ([TIME[2014-11-01 05:54:38 +09:00]] 版) <https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf#page=17>
- [17] ([TIME[2014-11-01 05:09:16 +09:00]] 版) <https://cabforum.org/wp-content/uploads/EV-V1_5_2Libre.pdf#page=16>
]REFS]
* 構文
[5] 値は、 [CODE[[[IA5String]]]] です。
[6] [[IDN]] を[[Aラベル]]に変換してから[[蓄積]]しなければ[['''なりません''']]。
すなわち、 [[IDNA2003]] [CODE[[[ToASCII]]]] [[演算]]を
[CODE[[[UseSTD3ASCIIRules]]]] フラグあり、 [CODE[[[AllowUnassigned]]]]
フラグなしで適用した結果を[[蓄積]]しなければ[['''なりません''']] [SRC[>>4]]。
[16] [[BR]] に従う [[CA]] は [[FQDN]] ([[ワイルドカードFQDN]]を含む。)
を指定した [[SAN]] を[[証明書]]に含めなければ[['''なりません''']] [SRC[>>14]]。
[15] [[BR]] に従う [[CA]] は、2016年10月1日までに[[内部名]]を [[SAN]]
[CODE[[[dNSName]]]] に指定した[[証明書]]を全廃することになっています [SRC[>>14]]。
[19] [[EV証明書]]では[[ドメイン名]]を含めなければ[['''なりません''']] [SRC[>>17]]。
[[ワイルドカード証明書]]は認められていません [SRC[>>17]]。
* 文脈
[13] 要件と処理方法については [[service identity]] も参照。
[18] [[EV]] では必須です [SRC[>>17]]。
* 比較
[7] [[大文字・小文字不区別]]で比較しなければ[['''なりません''']] [SRC[>>4]]。
;; [8] 比較対象も比較前に >>6 の通り [[Aラベル]]に変換する必要があります。
* レンダリング
[9] 表示前に [[IDN]] を [[Uラベル]]に変換するべきです。すなわち、
[[IDNA2003]] [CODE[[[ToUnicode]]]] [[演算]]を [CODE[[[UseSTD3ASCIIRules]]]]
フラグあり、 [CODE[[[AllowUnassigned]]]] フラグなしで適用した結果を使うべきです。
[SRC[>>4]]
* 関連
[20] [SEE[ [[CN-ID]]、[[SAN]] ]]
* メモ
[FIG(quote)[
[FIGCAPTION[
[1] [CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]]
([TIME[2015-02-22 15:44:10 +09:00]] 版)
<http://tools.ietf.org/html/rfc5280#section-4.2.1.6>
]FIGCAPTION]
> When the subjectAltName extension contains a domain name system
> label, the domain name MUST be stored in the dNSName (an IA5String).
> The name MUST be in the "preferred name syntax", as specified by
> Section 3.5 of '''['''RFC1034''']''' and as modified by Section 2.1 of
> '''['''RFC1123''']'''. Note that while uppercase and lowercase letters are
> allowed in domain names, no significance is attached to the case. In
> addition, while the string " " is a legal domain name, subjectAltName
> extensions with a dNSName of " " MUST NOT be used. Finally, the use
> of the DNS representation for Internet mail addresses
> (subscriber.example.com instead of subscriber@example.com) MUST NOT
> be used; such identities are to be encoded as rfc822Name.
]FIG]
[FIG(quote)[
[FIGCAPTION[
[2] [CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]]
([TIME[2015-02-22 15:44:10 +09:00]] 版)
<http://tools.ietf.org/html/rfc5280#section-4.2.1.6>
]FIGCAPTION]
> the semantics of subject alternative names that include
> wildcard characters (e.g., as a placeholder for a set of names) are
> not addressed by this specification. Applications with specific
> requirements MAY use such names, but they must define the semantics.
]FIG]
[FIG(quote)[
[FIGCAPTION[
[3] [CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]]
([TIME[2015-02-22 15:44:10 +09:00]] 版)
<http://tools.ietf.org/html/rfc5280#section-4.2.1.10>
]FIGCAPTION]
> DNS name restrictions are expressed as host.example.com. Any DNS
> name that can be constructed by simply adding zero or more labels to
> the left-hand side of the name satisfies the name constraint. For
> example, www.host.example.com would satisfy the constraint but
> host1.example.com would not.
]FIG]