On Thu, 27 Dec 2018 15:30:01 +0100 Jakob Bohm via dev-security-policy <[email protected]> wrote:
> The problem here is that the prohibition lies in a complex legal > reading of multiple documents, similar to a situation where a court > rules that a set of laws has an (unexpected to many) legal > consequence. I completely disagree. This prohibition was an obvious fact, well known to (I had assumed prior to this present fever) everyone who cared about the Internet's underlying infrastructure. The only species of technical people I ever ran into previously who professed "ignorance" of the rule were the sort who see documents like RFCs as descriptive rather than prescriptive and so their position would be (as it seems yours is) "Whatever I can do is allowed". Hardly a useful rule for the Web PKI. Descriptive documents certainly have their place - I greatly admire Geoff Pullum's Cambridge Grammar of the English Language, and I do own the more compact "Student's Introduction" book, both of which are descriptive since of course a natural language is not defined by such documents and can only be described by them (and imperfectly, exactly what's going on in English remains an active area of research). But that place is not here, the exact workings of DNS are prescribed, in documents you've called a "complex legal reading of multiple documents" but more familiarly as "a bunch of pretty readable RFCs on exactly this topic". > It would benefit the honesty of this discussion if the side that won > in the CAB/F stops pretending that everybody else "should have known" > that their victory was the only legally possible outcome and should > never have acted otherwise. I would suggest it would more benefit the honesty of the discussion if those who somehow convinced themselves of falsehood would accept this was a serious flaw and resolve to do better in future, rather than suppose that it was unavoidable and so we have to expect they'll keep doing it. Consider it from my position. In one case I know Jakob made an error but has learned a valuable lesson from it and won't be caught the same way twice. In the other case Jakob is unreliable on simple matters of fact and I shouldn't believe anything further he says. > Maybe because it is not publicly prohibited in general (the DNS > standard only recommends against it, and other public standards > require some such names for uses such as publishing certain public > keys). The prohibition exists only in the certificate standard > (PKIX) and maybe in the registration policies of TLDs (for TLD+1 > names only). Nope. You are, as it seems others in your position have done before, confusing restrictions on all names in DNS with restrictions on names for _hosts_ in DNS. Lots of things can have underscores in their names, and will continue to have underscores in their names, but hosts cannot. Web PKI certs are issued for host names (and IP addresses, and as a special case, TOR hidden services). Imagine if, on the same basis, a CA were to insist that they'd understood Texas to be a US state, and so they'd written C=TX on the rationale that a "state" is essentially the same kind of thing as a "country". I do not doubt they could find a few (mostly Texan) people to defend this view, but it's obviously wrong, and when the City of Austin Independent League of Skateboarders protests that they need to keep getting certificates with C=TX for compatibility reasons we'd have a good laugh and tell the CA to stop being so stupid, revoke these certs and move on. > Also it isn't the "Web PKI". It is the "Public TLS PKI", which is > not confined to Web Browsers surfing online shops and social > networks, and hasn't been since at least the day TLS was made an IETF > standard. It is _named_ the Web PKI. As you point out, it is lots of things, and so "Web PKI" is not a good description but its name remains the Web PKI anyway. The name for people from my country is "Britons". Again it's not a good description, since some of them aren't from the island of Great Britain as the country extends to adjacent islands too. Nevertheless the name is "Britons". Nick. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
