Server Certificates, Internal Names, and Browser support after October 2016 from Jeffrey Walton on 2015-02-02 (public-webappsec@w3.org from February 2015)

From: Jeffrey Walton <noloader@gmail.com>
Date: Sun, 1 Feb 2015 22:56:06 -0500
To: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <CAH8yC8my4s5YKrhXU_oA2mPQsyt+vhOBuTR=nw8Py46iEs37OA@mail.gmail.com>

According to the latest CA/B Baseline Requirements, section 9.2.1
(https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf):

    As of the Effective Date of these Requirements, prior to the issuance
    of a Certificate with a subjectAlternativeName extension or Subject
    commonName field containing a Reserved IP Address or Internal
    Name, the CA SHALL notify the Applicant that the use of such
    Certificates has been deprecated by the CA / Browser Forum and
    that the practice will be eliminated by October 2016.

An Internal Name is a name like localhost, localhost.localdomain, and
www.example.private (for my company's private, internal domain of
example.private).

I understand the CAs will stop issuing them in November, 2015; and the
Browsers will deprecate them in October, 2016.

My question: if I run an internal PKI and certify an internal name,
will the browser reject the certificate after October 2016?

Received on Monday, 2 February 2015 03:56:33 UTC