[10] [DFN[[CODE[[[dNSName]]]]]] は、 [CODE[[[GeneralName]]]] の一種で、 [[インターネット]]の[[ドメイン名]]を表します。 [12] [DFN[[[DNS-ID]]]] とは、型 [CODE[[[dNSName]]]] の [CODE[[[subjectAltName]]]] エントリーをいいます [SRC[>>11]]。 * 仕様書 [REFS[ - [4] '''[CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]] ([TIME[2015-02-22 15:44:10 +09:00]] 版) ''' - [11] [CITE@en[RFC 6125 - Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastructure Using X.509 (PKIX) Certificates in the Context of Transport Layer Security (TLS)]] ([TIME[2015-03-13 22:27:53 +09:00]] 版) - [14] [CITE[[[BR]]]] ([TIME[2014-11-01 05:54:38 +09:00]] 版) - [17] ([TIME[2014-11-01 05:09:16 +09:00]] 版) ]REFS] * 構文 [5] 値は、 [CODE[[[IA5String]]]] です。 [6] [[IDN]] を[[Aラベル]]に変換してから[[蓄積]]しなければ[['''なりません''']]。すなわち、 [[IDNA2003]] [CODE[[[ToASCII]]]] [[演算]]を [CODE[[[UseSTD3ASCIIRules]]]] フラグあり、 [CODE[[[AllowUnassigned]]]] フラグなしで適用した結果を[[蓄積]]しなければ[['''なりません''']] [SRC[>>4]]。 [16] [[BR]] に従う [[CA]] は [[FQDN]] ([[ワイルドカードFQDN]]を含む。) を指定した [[SAN]] を[[証明書]]に含めなければ[['''なりません''']] [SRC[>>14]]。 [15] [[BR]] に従う [[CA]] は、2016年10月1日までに[[内部名]]を [[SAN]] [CODE[[[dNSName]]]] に指定した[[証明書]]を全廃することになっています [SRC[>>14]]。 [19] [[EV証明書]]では[[ドメイン名]]を含めなければ[['''なりません''']] [SRC[>>17]]。 [[ワイルドカード証明書]]は認められていません [SRC[>>17]]。 * 文脈 [13] 要件と処理方法については [[service identity]] も参照。 [18] [[EV]] では必須です [SRC[>>17]]。 * 比較 [7] [[大文字・小文字不区別]]で比較しなければ[['''なりません''']] [SRC[>>4]]。 ;; [8] 比較対象も比較前に >>6 の通り [[Aラベル]]に変換する必要があります。 * レンダリング [9] 表示前に [[IDN]] を [[Uラベル]]に変換するべきです。すなわち、 [[IDNA2003]] [CODE[[[ToUnicode]]]] [[演算]]を [CODE[[[UseSTD3ASCIIRules]]]] フラグあり、 [CODE[[[AllowUnassigned]]]] フラグなしで適用した結果を使うべきです。 [SRC[>>4]] * 関連 [20] [SEE[ [[CN-ID]]、[[SAN]] ]] * メモ [FIG(quote)[ [FIGCAPTION[ [1] [CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]] ([TIME[2015-02-22 15:44:10 +09:00]] 版) ]FIGCAPTION] > When the subjectAltName extension contains a domain name system > label, the domain name MUST be stored in the dNSName (an IA5String). > The name MUST be in the "preferred name syntax", as specified by > Section 3.5 of '''['''RFC1034''']''' and as modified by Section 2.1 of > '''['''RFC1123''']'''. Note that while uppercase and lowercase letters are > allowed in domain names, no significance is attached to the case. In > addition, while the string " " is a legal domain name, subjectAltName > extensions with a dNSName of " " MUST NOT be used. Finally, the use > of the DNS representation for Internet mail addresses > (subscriber.example.com instead of subscriber@example.com) MUST NOT > be used; such identities are to be encoded as rfc822Name. ]FIG] [FIG(quote)[ [FIGCAPTION[ [2] [CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]] ([TIME[2015-02-22 15:44:10 +09:00]] 版) ]FIGCAPTION] > the semantics of subject alternative names that include > wildcard characters (e.g., as a placeholder for a set of names) are > not addressed by this specification. Applications with specific > requirements MAY use such names, but they must define the semantics. ]FIG] [FIG(quote)[ [FIGCAPTION[ [3] [CITE@en[RFC 5280 - Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile]] ([TIME[2015-02-22 15:44:10 +09:00]] 版) ]FIGCAPTION] > DNS name restrictions are expressed as host.example.com. Any DNS > name that can be constructed by simply adding zero or more labels to > the left-hand side of the name satisfies the name constraint. For > example, www.host.example.com would satisfy the constraint but > host1.example.com would not. ]FIG]