Open
Bug 552346
Opened 14 years ago
Updated 6 months ago
Stop honoring DNS names found in subject common names in CERT_VerifyCertName
Categories
(NSS :: Libraries, defect, P5)
NSS
Libraries
Tracking
(Not tracked)
NEW
People
(Reporter: matt, Unassigned)
References
Details
From bug 394919 comment #11: NSS (in CERT_VerifyCertName) currently treats the common name of a certificate as a valid DNS name if the certificate contains no DNS subjectAltNames. This is a legacy behavior that should be removed once there is enough momentum to do so in the community.
Comment 1•14 years ago
|
||
According to Apple, Safari will not treat the common name as a domain name if there is a domain name in the SAN.
Comment 2•14 years ago
|
||
Eddy, NSS has always done that, ever since it first supported SANs. This bug proposes that support for DNS names in subject common names be dropped altogether, with or without SANs. As you know, I favor that idea but I realize that it is unlikely that any one browser will ever do that unilaterally, lest they cede much market to the others who don't. Maybe you should run this up the flag pole at CABF and see who salutes. :)
Reporter | ||
Comment 3•14 years ago
|
||
For starters, we could practice what we preach: bug 553749.
Updated•14 years ago
|
Summary: Stop honoring DNS common names in CERT_VerifyCertName → Stop honoring DNS names found in subject common names in CERT_VerifyCertName
Updated•2 years ago
|
Severity: normal → S3
Updated•6 months ago
|
Severity: S3 → S4
Priority: -- → P5
You need to log in
before you can comment on or make changes to this bug.
Description
•