Re: [certid] weird CN-IDs (subjectCommonName) in SSL Labs Survey Data
Rob Stradling <rob.stradling@comodo.com> Thu, 21 October 2010 11:32 UTC
Return-Path: <rob.stradling@comodo.com>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix)
with ESMTP id 455713A677E for <certid@core3.amsl.com>;
Thu, 21 Oct 2010 04:32:10 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.195
X-Spam-Level:
X-Spam-Status: No, score=-4.195 tagged_above=-999 required=5 tests=[AWL=-0.377,
BAYES_20=-0.74, HELO_MISMATCH_NET=0.611, HOST_MISMATCH_COM=0.311,
RCVD_IN_DNSWL_MED=-4]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id bUnVrqsrcPVa for
<certid@core3.amsl.com>; Thu, 21 Oct 2010 04:32:08 -0700 (PDT)
Received: from ian.brad.office.comodo.net (brad.comodogroup.com
[82.109.38.202]) by core3.amsl.com (Postfix) with ESMTP id A788D3A6452 for
<certid@ietf.org>; Thu, 21 Oct 2010 04:32:06 -0700 (PDT)
Received: (qmail 13944 invoked by uid 1000); 21 Oct 2010 11:33:40 -0000
Received: from nigel.brad.office.comodo.net (HELO nigel.localnet)
(192.168.0.58) by ian.brad.office.comodo.net (qpsmtpd/0.40) with (AES256-SHA
encrypted) ESMTPS; Thu, 21 Oct 2010 12:33:40 +0100
From: Rob Stradling <rob.stradling@comodo.com>
To: certid@ietf.org
Date: Thu, 21 Oct 2010 12:33:38 +0100
User-Agent: KMail/1.13.5 (Linux/2.6.32-gentoo-r7; KDE/4.4.5; i686; ; )
References: <4CBF125C.6010704@KingsMountain.com>
In-Reply-To: <4CBF125C.6010704@KingsMountain.com>
MIME-Version: 1.0
Content-Type: Text/Plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <201010211233.38528.rob.stradling@comodo.com>
X-Mailman-Approved-At: Thu, 21 Oct 2010 06:41:15 -0700
Subject: Re: [certid] weird CN-IDs (subjectCommonName) in SSL Labs Survey Data
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates
<certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>,
<mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 21 Oct 2010 11:32:10 -0000
On Wednesday 20 October 2010 17:01:32 =JeffH wrote: > perhaps RobS can provide some rationale for this practice? Hi Jeff. Comments inline (taken from the message I sent you privately a few days ago)... > > > ALL IN ONE services.acheckamerica.com suite.agile1.com > > > www.etimeentry.com ALL IN ONE > > > > Duplicate instances of the same AVA at both ends of the DN (I'd like to > > see that go in an LDAP directory!). <snip> "ORGANIZATIONNAME domain1 domain2 ... domainN ORGANIZATIONNAME" I suspect that most (probably all) of these were issued by Comodo's CA system. Some years ago, when we first looked at the possibility of launching a "multi- domain SSL certificate" product, our testing showed that some browsers would use multiple Common Names but not multiple SAN->dNSNames. Of course, even back then the reverse was true with various other browsers. To offer maximum compatibility, we elected to give certificate applicants the option of having all of their domains encoded as both CNs and dNSNames. The Windows Certificate Viewer (for example) typically displays "Issued to: <Common Name>". Since this only displays 1 CN, we figured it might confuse people when there were multiple CNs present in the certificate. Therefore, we decided to (by default) encode the Organization Name as both the first and last CN, to make sure that the Windows Certificate Viewer would actually show "Issued to: <Organization Name encoded as a Common Name>". Here's a (perhaps out-of-date) Wiki page from another CA who seem to have done pretty much the same research we did: http://wiki.cacert.org/VhostTaskForce Note that "CN+SubjectAltNames" has the most green "Yes"es. > > > intranet.zsi.at bibliothek.intranet.zsi.at webmail.intranet.zsi.at > > > wiki.intranet.zsi.at ztools.intranet.zsi.at > > > > This contains a DN with components thrown together in more or less > > arbitrary order, again with CNs at both the start and end of the This was us too. It's a variation on the previous case. The customer elected to i) have the 2 Organization Name CNs omitted and ii) have a particular CN (intranet.zsi.at) first (i.e. encoded last) in the list. (We normally encode them in alphabetical order). > Yes, they obviously aren't backing their CA databases with an X.500-based > directory. Indeed. > I suspect hardly anyone (or even no-one) does so. > > > =JeffH > > _______________________________________________ > certid mailing list > certid@ietf.org > https://www.ietf.org/mailman/listinfo/certid Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online
- [certid] weird CN-IDs (subjectCommonName) in SSL … =JeffH
- Re: [certid] weird CN-IDs (subjectCommonName) in … Martin Rex
- Re: [certid] weird CN-IDs (subjectCommonName) in … Matt McCutchen
- [certid] weird CN-IDs (subjectCommonName) in SSL … =JeffH
- Re: [certid] weird CN-IDs (subjectCommonName) in … =JeffH
- Re: [certid] weird CN-IDs (subjectCommonName) in … =JeffH
- Re: [certid] weird CN-IDs (subjectCommonName) in … =JeffH
- Re: [certid] weird CN-IDs (subjectCommonName) in … Rob Stradling