Question about X509Certificate SAN DNS Name
Sean Mullan
sean.mullan at oracle.com
Tue Sep 8 12:32:07 UTC 2015
On 09/08/2015 02:15 AM, Weijun Wang wrote:
> Hi Sean
>
> You closed 8016345 as a dup of 8007706, but it's about the 1st letter in
> a DNSName and 8007706 is about '_' inside. Should they be treated
> differently?
Yes, probably. Please re-open the bug.
--Sean
>
> Thanks
> Max
>
> On 09/08/2015 12:52 PM, kepi at sg.ibm.com wrote:
>> I have a question on one of the bug
>> described at
>> https://bugs.openjdk.java.net/browse/JDK-8016345
>>
>> The status of this bug is closed as it duplicates
>> https://bugs.openjdk.java.net/browse/JDK-8007706. In bug _JDK-8007706_
>> <https://bugs.openjdk.java.net/browse/JDK-8007706> you were claiming
>> that your
>> implementation conforms to RFCs 5280, 1034, and 1123.
>>
>> But after carefully reading the RFCs, I think the bug reported in
>> JDK-8016345
>> should be fixed.
>>
>> From RFC 5280 Section 4.2.1.6, below block says:
>>
>> When the subjectAltName extension contains a domain name system
>> label, the domain name MUST be stored in the dNSName (an IA5String).
>> The name MUST be in the "preferred name syntax", as specified by
>> Section 3.5 of [RFC1034] and as modified by Section 2.1 of
>> [RFC1123].
>>
>> In RFC1034, it says the name should begin with a letter. However, in
>> RFC1123
>> Section 2.1, the syntax is relaxed and it says the first character can
>> be either
>> a letter or digit.
>>
>> From RFC1123 Section 2.1
>> The syntax of a legal Internet host name was specified in
>> _RFC-952_
>> <https://tools.ietf.org/html/rfc952#page-13>
>> [DNS:4]. One aspect of host name syntax is hereby changed: the
>> restriction on the first character is relaxed to allow either a
>> letter or a digit.
More information about the security-dev
mailing list