On Tue, Dec 15, 2015 at 9:39 AM, Salz, Rich <[email protected]> wrote:
> > > There's SRVName from https://tools.ietf.org/html/rfc4985 which in theory > > already can be applied to https already. SRVNames are used in the XMPP > > world a lot, maybe other places as well. > > But you can't put a SRVName in a certificate SAN field, can you? Actually you can. The SRV label is simply a DNS name. That is arguably the only way that you can legitimately create service specific certs in the WebPKI. Port specific certificates are an abomination that must not happen. Well Known Ports are not a viable discovery technique for modern services and the idea that they can provide domain separation is utter nonsense. SRV prefixed domain names do actually provide the necessary separation. The only objection people would make to SRV is that they would have to rewrite their application to use SRV for discovery. But I don't see that as a legitimate concern when the alternative would be having to re-engineer PKIX and the WebPKI which simply isn't going to happen. Port numbers are a transport layer attribute and the WebPKI is an application layer concern.
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
