RFC 9525 obsoletes commonName check

Steffen Nurpmeso steffen at sdaoden.eu
Sat Nov 18 23:28:47 UTC 2023


Viktor Dukhovni wrote in
 <ZVj2YneiSwGnklVK at straasha.imrryr.org>:
 |On Sat, Nov 18, 2023 at 11:21:16AM +0100, Georg Höllrigl wrote:
 |
 |> 
 |>    CN was deprecated in May 2000 - RFC 2818:
 |>    If a subjectAltName extension of type dNSName is present, that MUST
 |>    be used as the identity. Otherwise, the (most specific) Common Name
 |>    field in the Subject field of the certificate MUST be used. Although
 |>    the use of the Common Name is existing practice, it is deprecated and
 |>    Certification Authorities are encouraged to use the dNSName instead.
 |
 |Note the **If**, and the mandatory fallback to CN.  So at that time it
 |was superceded by SAN, but not yet effectively deprecated.

That was HTTP over TLS only.

 |> In 2017 Chromium enforced use of SAN, and to my knowledge the other \
 |> browsers followed:
 |> 
 |> https://chromestatus.com/feature/4981025180483584
 |> https://textslashplain.com/2017/03/10/chrome-deprecates-subject-cn-match\
 |> ing/
 |
 |These actually removed support for CN-ID, and it is great that the
 |browsers are in a position to do that.
 |
 |OpenSSL, however, is used in all kinds of intramural legacy systems, and
 |backwards-compatibility is an important consideration.
 |
 |If we stop accepting CN-ID fallback by default, barring evidence that
 |"nobody" still relies on CN-ID, OpenSSL should at least initially (in
 |the first LTS release that changes the default) provide a flag that
 |reënables the fallback, and only remove support in a subsequent release,
 |giving users ample time to make the transition.
 |
 |What is the aim of this thread, is it a question, feature request, bug
 |report, or preliminary discussion?

It was only to note an important change that the IETF made in
a generic RFC, but which is "buried" in its appendix, and i think
it was important enough to be seen more regularly.  (Also because
RFC 9525 has a different name than the one it obsoletes, RFC 6125
was named "Representation and Verification of Domain-Based
Application Service Identity within Internet Public Key
Infrastructure" instead.)

--steffen
|
|Der Kragenbaer,                The moon bear,
|der holt sich munter           he cheerfully and one by one
|einen nach dem anderen runter  wa.ks himself off
|(By Robert Gernhardt)


More information about the openssl-users mailing list