On Tue, Aug 15, 2017 at 8:01 AM, Jeremy Rowley <[email protected]> wrote: > I realize use of underscore characters was been debated and explained at the > CAB Forum, but I think it's pretty evident (based on the certs issued and > responses to Ballot 202) that not all CAs believe certs for SRVNames are > prohibited. I realize the rationale against underscores is that 5280 > requires a valid host name for DNS and X.509 does not necessarily permit > underscores, but it's not explicitly stated. Ballot 202 went a long way > towards clarification on when underscores are permitted, but that failed, > creating all new confusion on the issue. Any CA not paying careful > attention to the discussion and looking at only the results, would probably > believe SRVNames are permitted as long as the entry is in SAN:dNSName > instead of otherName.
Jeremy, I was assuming the definition of "SRVname" meant an otherName type entry. Obviously a dNSName of _xmpp.example.com would have name constraints applied, so I don't think that there is an issue there. Thanks, Peter _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
