Apparently name constraints don't constrain the CN field though, and that's what... | Hacker News

Hacker Newsnew | past | comments | ask | show | jobs | submit

		makomk on April 2, 2015 \| parent \| context \| favorite \| on: Google pulling China CNNIC CA from its products Apparently name constraints don't constrain the CN field though, and that's what browsers validate domain names against.

briansmith on April 2, 2015 [–]

In Mozilla's implementation, name constraints are applied to the CN field. I believe Chrome is the same way. Also, browsers "validate domain names" against the CN attribute and the dNSName entries in the subjectAltName extension.

Source: I wrote all that code in Mozilla's implementation.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact