[9] RFR: 8007706: X.509 cert extension SAN should support "_" in dNSName
Jason Uh
jason.uh at oracle.com
Tue Aug 5 05:52:36 UTC 2014
Hi Florian,
I've reviewed the RFC again and think there might be some
misinterpretation. The only part I see about underscores reads:
> Implementers should note that the at sign ('@') and underscore ('_')
> characters are not supported by the ASN.1 type PrintableString.
> These characters often appear in Internet addresses. Such addresses
> MUST be encoded using an ASN.1 type that supports them. They are
> usually encoded as IA5String in either the emailAddress attribute
> within a distinguished name or the rfc822Name field of GeneralName.
> Conforming implementations MUST NOT encode strings that include
> either the at sign or underscore character as PrintableString.
RFC 5280 doesn't allow underscores for *PrintableString*, but DNSName is
an *IA5String*, which does support them.
Jason
On 08/04/2014 03:50 AM, Florian Weimer wrote:
> On 08/02/2014 04:09 AM, Jason Uh wrote:
>> Hi Florian,
>>
>> Thanks for your input. There was some discussion about the issue in the
>> past on this list:
>> http://mail.openjdk.java.net/pipermail/security-dev/2013-February/006622.html
>>
>
>> Do you disagree with the comments there?
>
> I think the intent of RFC 5280 is *not* to allow "_" in dNSName.
>
> However, other PKIX implementations (OpenSSL, NSS) do not seem to verify
> dNSName syntax at all, so it might be necessary to drop the check for
> interoperability reasons in OpenJDK, even if it makes OpenJDK less
> compliant with RFC 5280.
>
More information about the security-dev
mailing list