e_subject_common_name_not_from_san when commonName is U-label

[mimi89999]

From the discussion in https://archive.cabforum.org/pipermail/public/2017-July/011775.html I understand that U-labels are allowed in CN. However, when CN is a U-label, zlint shows errors and that seems wrong.

Example certificate: https://crt.sh/?id=4512264235&opt=zlint

[robstradling]

Ballot 202 failed (see https://cabforum.org/2017/07/26/ballot-202-underscore-wildcard-characters/), and AFAIK no revised ballot has yet been proposed.

The BRs currently specify the following requirement for the subject:commonName field in leaf certificates:
"If present, this field MUST contain a single IP address or Fully‐Qualified Domain Name that is one of the values contained in the Certificate’s subjectAltName extension (see Section 7.1.4.2.1)."

"Fully‐Qualified Domain Name" is a Defined Term:
"A Domain Name that includes the labels of all superior nodes in the Internet Domain Name System."

DNS is not Unicode-aware, so "the labels" MUST be A-labels, not U-labels. Also, I would argue that "is one of the values" requires the commonName to be byte-for-byte identical to one of the subjectAltName:dNSName values.

[mimi89999]

So that would mean that the certificate was misissued?

[cpu]

So that would mean that the certificate was misissued?

Yes, I agree with @robstradling's assessment, this seems like a valid linter error.

[cpu]

I'm following the MDSP discussion on this subject and considering the issue blocked on spec for now.

[CBonnell]

Now that SC48 has passed and is effective, this can be closed.