On 19/12/2018 04:14, Peter Bowen wrote: > On Tue, Dec 18, 2018 at 6:52 PM Jeremy Rowley via dev-security-policy < > [email protected]> wrote: > >> Ballot 202 failed. I’m not sure how it’s relevant other than to indicate >> there was definite disagreement about whether underscores were permitted or >> not. As previously mentioned, I didn’t consider underscore characters >> prohibited until the ballot was proposed eliminating them in Oct. I know >> the general Mozilla population disagrees but, right or wrong, that’s the >> root cause of it all. I can explain my reasoning again here, but I doubt it >> materially alters the conversation and outcome. >> > > I agree that Jeremy that the situation with underscores was unclear prior > to the ballot in October. Three years ago when I was writing certlint, my > very first public commit has the comment: > # Allow RFC defying '*' and '_' > > I honestly haven't been pay a lot of attention to the CA/Browser Forum > recently. Given the rationale for getting rid of underscores is RFC > compliance, did the ballot also disallow asterisks? They are also not > allowed by the "preferred name syntax", as specified by Section 3.5 of > [RFC1034] <https://tools.ietf.org/html/rfc1034#section-3.5> and as modified > by Section 2.1 of <https://tools.ietf.org/html/rfc1123#section-2.1> > [RFC1123] <https://tools.ietf.org/html/rfc1123#section-2.1>. >
The problematic section of RFC5280 contains this paragraph, wedged between encoding descriptions (which happen to include a reference to the "preferred syntax" of host names) and the corresponding ASN.1 syntax: Finally, the semantics of subject alternative names that include wildcard characters (e.g., as a placeholder for a set of names) are not addressed by this specification. Applications with specific requirements MAY use such names, but they must define the semantics. A different RFC defines the modern semantics of wildcard certificates, thus providing the required definition. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
