> On Nov 15, 2017, at 9:46 AM, Gervase Markham via Public <[email protected]> > wrote: > > On 15/11/17 09:38, Ryan Sleevi wrote: >> I gave an option immediately preceding the text you snipped, along with >> the trade-offs such options come with. > > So you are suggesting we don't enable SRVnames until someone has specced > such an extension and it's been implemented?
Another option is to just forbid CAs with DNS name constraints from issuing SRVname certificates unless they have SRVname constraints defined as well. That doesn’t change things compared to today — the only thing preventing them from issuing SRVname certificates is the BRs. Thanks, Peter _______________________________________________ Public mailing list [email protected] https://cabforum.org/mailman/listinfo/public
