> On 23 Jun 2020, at 14:01, Eric Rescorla <[email protected]> wrote:
>
> I don’t know if the group looked at this, but I can say that from a public CA
> standpoint, it’s not much different from otherName because there is a
> requirement to validate the name. A new URI scheme would require a new
> resolution mechanism. Perhaps that is needed as part of ACP anyway. The one
> value of URI is that it is easier to configure in some of the tooling like
> OpenSSL.
>
> What disturbs me about all of this is that public CAs will accept otherNames
> and produce garbage out. That’s just asking for a boot to the head* from a
> vulnerability perspective.
>
> This would at present appear to violate the BRs. S 7.1.4.2.1 says:
> Contents: This extension MUST contain at least one entry. Each entry MUST be
> either a dNSName containing the Fully-Qualified Domain Name or an iPAddress
> containing the IP address of a server. The CA MUST confirm that the Applicant
> controls the Fully-Qualified Domain Name or IP address or has been granted
> the right to use it by the Domain Name Registrant or IP address assignee, as
> appropriate.
>
> -Ekr
>
Oh it does the DV. It just adds garbage into the cert :-(
_______________________________________________
Anima mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/anima
