At 21:57 +0000 12 Oct 2021, "brian m. carlson" <sandals@xxxxxxxxxxxxxxxxxxxx> wrote:
I also just checked, and RFC 5280 specifies the rules for RFC 1123 regarding host names in certificates. So even if we did accept this, no publicly trusted CA could issue a certificate for such a domain, because to do so would be misissuance. So this at best could help people who are either using plain HTTP or an internal CA using broken tools, neither of which I think argue in favor of supporting this.
Or people using a wildcard certificate.
Attachment:
signature.asc
Description: PGP signature
