-
Notifications
You must be signed in to change notification settings - Fork 107
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
e_subject_common_name_not_from_san when commonName is U-label #601
Comments
Ballot 202 failed (see https://cabforum.org/2017/07/26/ballot-202-underscore-wildcard-characters/), and AFAIK no revised ballot has yet been proposed. The BRs currently specify the following requirement for the subject:commonName field in leaf certificates: "Fully‐Qualified Domain Name" is a Defined Term: DNS is not Unicode-aware, so "the labels" MUST be A-labels, not U-labels. Also, I would argue that "is one of the values" requires the commonName to be byte-for-byte identical to one of the subjectAltName:dNSName values. |
So that would mean that the certificate was misissued? |
Yes, I agree with @robstradling's assessment, this seems like a valid linter error. |
I'm following the MDSP discussion on this subject and considering the issue blocked on spec for now. |
Now that SC48 has passed and is effective, this can be closed. |
From the discussion in https://archive.cabforum.org/pipermail/public/2017-July/011775.html I understand that U-labels are allowed in CN. However, when CN is a U-label, zlint shows errors and that seems wrong.
Example certificate: https://crt.sh/?id=4512264235&opt=zlint
The text was updated successfully, but these errors were encountered: