Hey Gerv, - I think the intent was that they don't apply, but the language is definitely unclear. From the RFC:
"SRVName restrictions are expressed as a complete SRVName (_mail.example.com), just a service name (_mail), or just as a DNS name (example.com). The name restriction of the service name part and the DNS name part of SRVName are handled separately." This seems to indicate SRV restrictions are something new compared to domain name constraints. I suppose it's largely up to UA's implementing the RFC at this point. Still looking for two endorsers. ----- Original Message----- From: Gervase Markham [mailto:[email protected]] Sent: Tuesday, October 10, 2017 5:26 AM To: Jeremy Rowley <[email protected]>; CA/Browser Forum Public Discussion List <[email protected]> Subject: Re: [cabfpub] Ballot 184 - SRVnames On 04/10/17 06:38, Jeremy Rowley via Public wrote: > Probably time to finish this ballot off. This is the last version I > have, slightly modified to remove the 822 and other language. Thoughts? Do DNSName name constraints in a TCSC apply to the DNS name part of the SVRName? I've read section 4 of https://tools.ietf.org/html/rfc4985 but it doesn't seem clear to me whether the restrictions specced there are a totally new sort of restriction, or whether they leverage the existing DNS name restriction abilities for the DNS name part and just add the ability to also restrict the service name. Gerv
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
