仕様書

[4] RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (2015-02-22 15:44:10 +09:00 版) http://tools.ietf.org/html/rfc5280#section-7.2
[11] RFC 6125 - Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS) (2015-03-13 22:27:53 +09:00 版) https://tools.ietf.org/html/rfc6125#section-1.8
[14] BR (2014-11-01 05:54:38 +09:00 版) https://cabforum.org/wp-content/uploads/BRv1.2.3.pdf#page=17
[17] (2014-11-01 05:09:16 +09:00 版) https://cabforum.org/wp-content/uploads/EV-V1_5_2Libre.pdf#page=16

構文

[5] 値は、 IA5String です。

[6] IDN をAラベルに変換してから蓄積しなければなりません。すなわち、 IDNA2003 ToASCII 演算を UseSTD3ASCIIRules フラグあり、 AllowUnassigned フラグなしで適用した結果を蓄積しなければなりません >>4。

[16] BR に従う CA は FQDN (ワイルドカードFQDNを含む。) を指定した SAN を証明書に含めなければなりません >>14。

[15] BR に従う CA は、2016年10月1日までに内部名を SAN dNSName に指定した証明書を全廃することになっています >>14。

[19] EV証明書ではドメイン名を含めなければなりません >>17。ワイルドカード証明書は認められていません >>17。

レンダリング

[9] 表示前に IDN を Uラベルに変換するべきです。すなわち、 IDNA2003 ToUnicode 演算を UseSTD3ASCIIRules フラグあり、 AllowUnassigned フラグなしで適用した結果を使うべきです。 >>4

メモ

[1]

RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (2015-02-22 15:44:10 +09:00 版) http://tools.ietf.org/html/rfc5280#section-4.2.1.6

When the subjectAltName extension contains a domain name system
label, the domain name MUST be stored in the dNSName (an IA5String).
The name MUST be in the "preferred name syntax", as specified by
Section 3.5 of [RFC1034] and as modified by Section 2.1 of
[RFC1123]. Note that while uppercase and lowercase letters are
allowed in domain names, no significance is attached to the case. In
addition, while the string " " is a legal domain name, subjectAltName
extensions with a dNSName of " " MUST NOT be used. Finally, the use
of the DNS representation for Internet mail addresses
(subscriber.example.com instead of subscriber@example.com) MUST NOT
be used; such identities are to be encoded as rfc822Name.

[2]

RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (2015-02-22 15:44:10 +09:00 版) http://tools.ietf.org/html/rfc5280#section-4.2.1.6

the semantics of subject alternative names that include
wildcard characters (e.g., as a placeholder for a set of names) are
not addressed by this specification. Applications with specific
requirements MAY use such names, but they must define the semantics.

[3]

RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile (2015-02-22 15:44:10 +09:00 版) http://tools.ietf.org/html/rfc5280#section-4.2.1.10

DNS name restrictions are expressed as host.example.com. Any DNS
name that can be constructed by simply adding zero or more labels to
the left-hand side of the name satisfies the name constraint. For
example, www.host.example.com would satisfy the constraint but
host1.example.com would not.

仕様書

構文

文脈

比較

レンダリング

関連

メモ