[9] RFR: 8007706: X.509 cert extension SAN should support "_" in dNSName
Florian Weimer
fweimer at redhat.com
Tue Jul 22 08:23:33 UTC 2014
On 07/22/2014 09:52 AM, Jason Uh wrote:
> Hi Max,
>
> Could you please review this fix?
>
> http://cr.openjdk.java.net/~juh/8007706/webrev.00/
>
> With the fix, the rules will be:
> 1. A DNSName must begin with a letter or a digit
> 2. After the first character, valid characters in DNSName components are
> letters, digits, hyphens, and underscores
The underscore bit violates the requirements of RFC 5280. Perhaps the
RFC is wrong, but I think more justification is needed. The part which
accepts leading digits is fine.
Technically, there is a difference between domain names (sequences of
dotted case-insensitive label blobs) and host names (labels must consist
of letters and digits and hyphens, and start with a letter or digit).
RFC 5280 says "domain name", but the references make it clear that "host
names" are meant instead. It's not even clear if IA5String can encode
backslashes, which would be needed to cover the entire range of valid
domain names.
--
Florian Weimer / Red Hat Product Security
More information about the security-dev
mailing list