W3C home > Mailing lists > Public > public-webappsec@w3.org > February 2015

Re: Server Certificates, Internal Names, and Browser support after October 2016

From: Tom Ritter <tom@ritter.vg>
Date: Mon, 2 Feb 2015 08:03:29 -0600
Message-ID: <CA+cU71ntnBarG8ZgZT8-ZEKn32wUssSP6u8je=6YS295Caf4JQ@mail.gmail.com>
To: noloader@gmail.com
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
On 1 February 2015 at 21:56, Jeffrey Walton <noloader@gmail.com> wrote:
> According to the latest CA/B Baseline Requirements, section 9.2.1
> (https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf):
>
>     As of the Effective Date of these Requirements, prior to the issuance
>     of a Certificate with a subjectAlternativeName extension or Subject
>     commonName field containing a Reserved IP Address or Internal
>     Name, the CA SHALL notify the Applicant that the use of such
>     Certificates has been deprecated by the CA / Browser Forum and
>     that the practice will be eliminated by October 2016.
>
> An Internal Name is a name like localhost, localhost.localdomain, and
> www.example.private (for my company's private, internal domain of
> example.private).
>
> I understand the CAs will stop issuing them in November, 2015; and the
> Browsers will deprecate them in October, 2016.
>
> My question: if I run an internal PKI and certify an internal name,
> will the browser reject the certificate after October 2016?


This is probably a better question for one of the browser-specific
mailing lists: but my gut tells me that if you install a local trust
root, any checks a browser may have about enforcing the CAB
requirement and not allowing internal names will _not_ apply.
(Otherwise, it just wouldn't work anymore, and we fought so hard to
get CAs to stop issuing .local, so breaking everything just doesn't
seem to be in the cards.)

Browsers override HPKP for user-installed roots, so I expect the same
override detection mechanism to apply and to work the same way.

-tom
Received on Monday, 2 February 2015 14:04:17 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:10 UTC