On 27/12/2018 13:39, Nick Lamb wrote: > As a relying party I read this in the context of the fact that we're > talking about names that are anyway prohibited. >
The problem here is that the prohibition lies in a complex legal reading of multiple documents, similar to a situation where a court rules that a set of laws has an (unexpected to many) legal consequence. Such rulings frequently come out from the highest federal courts of the US and the EU, and this is generally referred to as those courts effectively creating new legislation. It would benefit the honesty of this discussion if the side that won in the CAB/F stops pretending that everybody else "should have known" that their victory was the only legally possible outcome and should never have acted otherwise. > Why would you need a publicly trusted certificate that specifies a name > that is publicly prohibited? > Maybe because it is not publicly prohibited in general (the DNS standard only recommends against it, and other public standards require some such names for uses such as publishing certain public keys). The prohibition exists only in the certificate standard (PKIX) and maybe in the registration policies of TLDs (for TLD+1 names only). > I guess the answer is "But it works on Windows". And Windows is welcome > to implement a parallel "Windows PKI" which can have its own rules about > naming and whatever else and so the certificates could be issued in that > PKI but not in the Web PKI. Actually, my only current uses of such names (none with certificates anyway) are all done using a non-Windows OS, and the names seem to work with every DNS library and tool tried. Also it isn't the "Web PKI". It is the "Public TLS PKI", which is not confined to Web Browsers surfing online shops and social networks, and hasn't been since at least the day TLS was made an IETF standard. Enjoy Jakob -- Jakob Bohm, CIO, Partner, WiseMo A/S. https://www.wisemo.com Transformervej 29, 2860 Søborg, Denmark. Direct +45 31 13 16 10 This public discussion message is non-binding and may contain errors. WiseMo - Remote Service Management for PCs, Phones and Embedded _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy