![(please configure the [header_logo] section in trac.ini)](https://www.ietf.org/images/ietflogotrans.gif)
Opened 9 years ago
Closed 7 years ago
#17 closed defect (fixed)
Add advice on CNs
| Reported by: | benl@… | Owned by: | rob.stradling@… |
|---|---|---|---|
| Priority: | major | Milestone: | review |
| Component: | rfc6962-bis | Version: | |
| Severity: | - | Keywords: | |
| Cc: |
Description
Some CAs would like to include CNs even though they are deprecated. If using name redaction, what should go in the CN? Add advice somewhere to suggest they use the base domain name (which will also have to be added as a SAN).
Change History (11)
comment:1 Changed 9 years ago by benl@…
comment:2 Changed 9 years ago by benl@…
In fact we think that removing CNs will break some tiny percentage of devices, and so we should allow a single CN, which, if present, uses the first entry in the redaction list.
comment:3 Changed 9 years ago by rob.stradling@…
The mailing list (also, see ticket #42) is currently discussing the dangers of the name redaction mechanism. I think that discussion needs to reach a firm conclusion on whether name redaction should ever be allowed before we can continue progress on this ticket. (If name redaction is never allowed, then this ticket is pointless and should be marked WONTFIX).
comment:4 follow-up: ↓ 5 Changed 8 years ago by eranm@…
- Resolution set to duplicate
- Status changed from new to closed
Ticket #54 addresses this, marking as duplicate.
comment:5 in reply to: ↑ 4 Changed 8 years ago by rob.stradling@…
- Resolution duplicate deleted
- Status changed from closed to reopened
comment:6 Changed 8 years ago by rob.stradling@…
- Owner changed from draft-ietf-trans-rfc6962-bis@… to rob.stradling@…
- Status changed from reopened to new
comment:7 Changed 8 years ago by rob.stradling@…
- Status changed from new to assigned
We'll use Ben's proposal from comment:2:
"...we should allow a single CN, which, if present, uses the first entry in the redaction list."
Let's require the Subject CN, if present, to match the first dNSName in the SAN extension, so that they can both use the first entry in the redaction list.
comment:8 Changed 8 years ago by rob.stradling@…
- Resolution set to fixed
- Status changed from assigned to closed
comment:9 Changed 7 years ago by rob.stradling@…
- Resolution fixed deleted
- Status changed from closed to reopened
It's problematic to require the Subject CN, if present, to match the first SAN dNSName. See this thread for discussion:
https://mailarchive.ietf.org/arch/msg/trans/q3mT1tSeKJkh2TDftElF8WBlLp8
Let's adopt Peter Bowen's suggestion to "...append one more element to
the sequence for CN redaction level. I think it should go at the end,
rather than the beginning, as it should be more likely to not have a
common name than not having a SAN."
comment:10 Changed 7 years ago by rob.stradling@…
- Milestone set to review
comment:11 Changed 7 years ago by melinda.shore@…
- Resolution set to fixed
- Status changed from reopened to closed
It would be nice if someone (maybe Google) would test whether omitting CNs actually causes any problem.