[9] RFR: 8007706: X.509 cert extension SAN should support "_" in dNSName
Florian Weimer
fweimer at redhat.com
Mon Aug 4 10:50:29 UTC 2014
On 08/02/2014 04:09 AM, Jason Uh wrote:
> Hi Florian,
>
> Thanks for your input. There was some discussion about the issue in the
> past on this list:
> http://mail.openjdk.java.net/pipermail/security-dev/2013-February/006622.html
> Do you disagree with the comments there?
I think the intent of RFC 5280 is *not* to allow "_" in dNSName.
However, other PKIX implementations (OpenSSL, NSS) do not seem to verify
dNSName syntax at all, so it might be necessary to drop the check for
interoperability reasons in OpenJDK, even if it makes OpenJDK less
compliant with RFC 5280.
--
Florian Weimer / Red Hat Product Security
More information about the security-dev
mailing list