On Thu, 27 Dec 2018 22:43:19 +0100 Jakob Bohm via dev-security-policy <[email protected]> wrote:
> You must be traveling in a rather limited bubble of PKIX experts, all > of whom live and breathe the reading of RFC5280. Technical people > outside that bubble may have easily misread the relevant paragraph in > RFC5280 in various ways. It's practically a pub quiz question. I appreciate that I might be unusual in happening to care about this as a lay person, but for a public CA in the Web PKI correctly understanding this stuff was _their job_. It isn't OK for them to be bad at their jobs. > The documents that prescribes the exact workings of DNS do not > prohibit (only discourage) DNS names containing underscores. Web > browser interfaces for URL parsing may not allow them, which would be > a technical benefit for at least one usage of such certificates > reported in the recent discussion. We get it, you don't accept that not all DNS names can be names of hosts. That you still seem determined not to understand this even when it's explained repeatedly shows that my characterization of this position was correct. > That I disagree with you on certain questions of fact doesn't mean > I'm unreliable, merely that you have not presented any persuasive > arguments that you are not the one being wrong. I can't distinguish people who are "actually" unreliable from people who claim the plain facts are "unpersuasive" to their point of view, and so I don't. Likewise m.d.s.policy largely doesn't care whether a CA's problems are a result of incompetence or malfeasance, same outcome either way: distrust. > I merely > dispute that this was obvious to every reader of those documents Since you like legal analogies, the usual standard in law is that something was known _or should have been known_. This means that a declaration that you didn't know something holds no weight if a court concludes that you _should_ have known it. If you have a responsibility to know, "I didn't know" is not usually an excuse. I don't believe subscribers should have known, but I do believe Certificate Authorities should have known, or, as corporate entities, should have employed someone who knew that this was an important thing to understand, did their research and came back with a "No" that had the effect of setting issuance policy. Doubtless some ordinary subscribers believe Africa is a country. I don't have a problem with that. But I hope we agree that a CA should not sign a certificate which gives C=AP (an ISO code reserved for other reasons associated with Africa) on the rationale that they thought Africa is a country. > A better example is the pre-2015 issuing of .onion names, which do > not exist in the IANA-rooted DNS. A better example in the sense that, if this happened today we would expect CAs not to issue for such a name without first getting a change to the BRs saying this hierarchy is special ? If the situation was that CAs had sensibly not issued for underscores, then asked if they could and been turned down this entire thread would not exist. > I wrote this in opposition to someone seemingly insisting that the > _name_ implied that all non-web uses are mistakes that should not be > given any credence. You wrote it in reply to me, and you quoted me. I don't know whether my reciting these facts will be "persuasive" to you, but once again refusing to believe something won't stop it being true - it only affects your credibility. Nick. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
