- From: Tom Ritter <tom@ritter.vg>
- Date: Mon, 2 Feb 2015 08:03:29 -0600
- To: noloader@gmail.com
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 1 February 2015 at 21:56, Jeffrey Walton <noloader@gmail.com> wrote: > According to the latest CA/B Baseline Requirements, section 9.2.1 > (https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf): > > As of the Effective Date of these Requirements, prior to the issuance > of a Certificate with a subjectAlternativeName extension or Subject > commonName field containing a Reserved IP Address or Internal > Name, the CA SHALL notify the Applicant that the use of such > Certificates has been deprecated by the CA / Browser Forum and > that the practice will be eliminated by October 2016. > > An Internal Name is a name like localhost, localhost.localdomain, and > www.example.private (for my company's private, internal domain of > example.private). > > I understand the CAs will stop issuing them in November, 2015; and the > Browsers will deprecate them in October, 2016. > > My question: if I run an internal PKI and certify an internal name, > will the browser reject the certificate after October 2016? This is probably a better question for one of the browser-specific mailing lists: but my gut tells me that if you install a local trust root, any checks a browser may have about enforcing the CAB requirement and not allowing internal names will _not_ apply. (Otherwise, it just wouldn't work anymore, and we fought so hard to get CAs to stop issuing .local, so breaking everything just doesn't seem to be in the cards.) Browsers override HPKP for user-installed roots, so I expect the same override detection mechanism to apply and to work the same way. -tom
Received on Monday, 2 February 2015 14:04:17 UTC