X509lint "Policy information has qualifier other than CPS URI"


#1

Hello,

I have checked some of my certificates in http://crt.sh/ and when I click “x509lint”, I see following messages

   INFO: Subject has a deprecated CommonName 
WARNING: Policy information has qualifier other than CPS URI 

Other certificates, for example the ones from StartCom, which I used earlier, did not have this warning.

There seems to be a small technical detail in the certs which is wrong. Maybe it can be fixed. I love perfectionism :wink:

Just out of interest: As for the first message, what does it mean? Why is a domain name in the CN deprecated?


#2

Hopefully a Let’s Encrypt person will have some response to your first point, although just because something emits a warning doesn’t mean it’s necessarily a problem, that’s what we have errors for

On the second point, the deprecated CN, the situation is that X.509 is originally part of the X.500 series directory system. Now, the directory system is not very important, but the Internet adopted X.509 and some other things, and re-purposed bits of them. But the Internet isn’t a hierarchical directory system, so at first what people did was just write technical stuff in the Common Name field, which is really supposed to be a human readable name like “Let’s Encrypt” or “Joseph George Daniels”

Because it’s intended to be human readable it’s not “wrong” to set CN to " www.example.com" (that’s a space at the start) or “10.20.30.40-43” or “wWw.Example.ORG” and so to continue this way everybody would need a fairly complicated parser, and every issuer needs to be especially careful to only emit things that work with the common parsers out there. In the past for example it was found that some web browsers treated a NUL (zero byte) ASCII character as the end of the domain name in a Common Name.

So, back in the 1990s PKIX (the Internet’s standardisation of X.509 for its use) creates Subject Alternative Names (SANs) which are typed names, such as IP address, DNS name, email address. Whereas a certificate can only have one Subject, and thus should only have one CN, it can have many SANs.

For backwards compatibility the standard suggests you can write one DNS name in the Subject CN but this deprecated, because after all, surely soon software will catch up and learn to read SANs, right? And almost two decades later we’re still doing the backward compatibility thing because there is still software which doesn’t understand SANs properly. Microsoft only recently began shipping operating systems that understand an IP address isn’t a text string. Similarly, some Certificate Authorities (not Let’s Encrypt, mostly smaller parochial ones these days) keep issuing certificates that don’t even fill out the SAN, so software had to keep checking CN even now.

Mozilla’s routine “communication to Certificate Authorities” (basically a letter they write asking each CA to fill out a web survey on practices and standards) has asked several times now for CAs to confirm they understand this rule and they will use SANs and not just rely on CN. Each time they get an affirmative answer but alas every year a few CAs manage not to quite do what they promised. “Oops” they say “Silly us. Don’t worry though, we know now”. Until next year.


#3

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.