[9] RFR: 8007706: X.509 cert extension SAN should support "_" in dNSName

Florian Weimer fweimer at redhat.com
Tue Aug 5 06:58:39 UTC 2014


On 08/05/2014 07:52 AM, Jason Uh wrote:
> Hi Florian,
>
> I've reviewed the RFC again and think there might be some
> misinterpretation. The only part I see about underscores reads:
>
>>    Implementers should note that the at sign ('@') and underscore ('_')
>>    characters are not supported by the ASN.1 type PrintableString.
>>    These characters often appear in Internet addresses.  Such addresses
>>    MUST be encoded using an ASN.1 type that supports them.  They are
>>    usually encoded as IA5String in either the emailAddress attribute
>>    within a distinguished name or the rfc822Name field of GeneralName.
>>    Conforming implementations MUST NOT encode strings that include
>>    either the at sign or underscore character as PrintableString.
>
> RFC 5280 doesn't allow underscores for *PrintableString*, but DNSName is
> an *IA5String*, which does support them.

By this argument, the patch is still not correct because it leaves in 
additional checking incompatible with IA5String.  (It is also not clear 
to me what exactly is permissible in IA5Strings and how codepoints are 
supposedly mapped to their Unicode counterparts if a national variant of 
T.50 is used, but that's a different issue.)  Relaxing all restrictions 
would match what other software does.

My claim that '_' is not allowed in dNSName is based on these two sentences:

    When the subjectAltName extension contains a domain name system
    label, the domain name MUST be stored in the dNSName (an IA5String).
    The name MUST be in the "preferred name syntax", as specified by
    Section 3.5 of [RFC1034] and as modified by Section 2.1 of
    [RFC1123].

Section 3.5 of RFC 1034 and section 2.1 of RFC 1123 deal with host name 
syntax, and the grammar in RFC 1034 (and RFC 952, which is referenced in 
RFC 1123) does not permit underscores.

-- 
Florian Weimer / Red Hat Product Security


More information about the security-dev mailing list