Ah. Sorry about that. I agree that no CA can issue those yet. -----Original Message----- From: Peter Bowen [mailto:[email protected]] Sent: Tuesday, August 15, 2017 9:04 AM To: Jeremy Rowley <[email protected]> Cc: Gervase Markham <[email protected]>; Ryan Sleevi <[email protected]>; Peter Bowen <[email protected]>; mozilla-dev-security-policy <[email protected]> Subject: Re: SRVNames in name constraints
On Tue, Aug 15, 2017 at 8:01 AM, Jeremy Rowley <[email protected]> wrote: > I realize use of underscore characters was been debated and explained > at the CAB Forum, but I think it's pretty evident (based on the certs > issued and responses to Ballot 202) that not all CAs believe certs for > SRVNames are prohibited. I realize the rationale against underscores > is that 5280 requires a valid host name for DNS and X.509 does not > necessarily permit underscores, but it's not explicitly stated. Ballot > 202 went a long way towards clarification on when underscores are > permitted, but that failed, creating all new confusion on the issue. > Any CA not paying careful attention to the discussion and looking at > only the results, would probably believe SRVNames are permitted as > long as the entry is in SAN:dNSName instead of otherName. Jeremy, I was assuming the definition of "SRVname" meant an otherName type entry. Obviously a dNSName of _xmpp.example.com would have name constraints applied, so I don't think that there is an issue there. Thanks, Peter
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
