On Mon, Jun 22, 2020 at 11:51 PM Eliot Lear <[email protected]> wrote: > Hi Ben > > On 23 Jun 2020, at 05:31, Benjamin Kaduk <[email protected]> wrote: > > Russ has been helping reach out to more of the PKIX community; one > suggestion that came up so far is to consider defining a dedicated URI > scheme and using a uniformResourceIdentifier SAN -- did the WG consider > that in the initial discussions? > > > > I don’t know if the group looked at this, but I can say that from a public > CA standpoint, it’s not much different from otherName because there is a > requirement to validate the name. A new URI scheme would require a new > resolution mechanism. Perhaps that is needed as part of ACP *anyway*. > The one value of URI is that it is easier to configure in some of the > tooling like OpenSSL. > > What disturbs me about all of this is that public CAs will accept > otherNames and produce garbage out. That’s just asking for a boot to the > head* from a vulnerability perspective. >
This would at present appear to violate the BRs. S 7.1.4.2.1 says: Contents: This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing the Fully-Qualified Domain Name or an iPAddress containing the IP address of a server. The CA MUST confirm that the Applicant controls the Fully-Qualified Domain Name or IP address or has been granted the right to use it by the Domain Name Registrant or IP address assignee, as appropriate. -Ekr
_______________________________________________ Anima mailing list [email protected] https://www.ietf.org/mailman/listinfo/anima
