Re: Underscore domains?
On Sat, Dec 29, 2018 at 02:40:10PM -0800, Lewis Resmond via dev-security-policy wrote: > I am not 100% sure, but I have read that underscores can exist in domain > names: > https://stackoverflow.com/questions/2180465/can-domain-name-subdomains-have-an-underscore-in-it Correct, but irrelevant for the purposes of this discussion. > In another thread of this newsgroup, I saw a list of certificates to be > revoked because of the underscore issue. And they had underscore domain > names in it, either in CN or DNS-Names. Correct. > So, I wonder, what's the whole forbit-underscore-certificates about? If > there are domains out there with underscores, why do you want exclude them > from being able to use TLS? Because a TLS client doesn't identify the endpoint with which to establish a connection by resolving a domain name, it does so by resolving a host name, which is a different beast, and which has different rules around what characters are valid -- rules which happen to exclude underscores from the list of permitted characters. - Matt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Underscore domains?
I am not 100% sure, but I have read that underscores can exist in domain names: https://stackoverflow.com/questions/2180465/can-domain-name-subdomains-have-an-underscore-in-it In another thread of this newsgroup, I saw a list of certificates to be revoked because of the underscore issue. And they had underscore domain names in it, either in CN or DNS-Names. So, I wonder, what's the whole forbit-underscore-certificates about? If there are domains out there with underscores, why do you want exclude them from being able to use TLS? Am Samstag, 22. Dezember 2018 03:46:01 UTC+1 schrieb Matt Palmer: > On Fri, Dec 21, 2018 at 06:14:19PM -0800, Lewis Resmond via > dev-security-policy wrote: > > I have read the debate about the underscores and I understand that they > > were never intended in the RFC. > > But I wonder, does it now mean that people who have a domain name with > > underscore will never be able to receive a certificate again? > > There are registered domains -- as in, actual eTLD+1 names -- that have > underscores in them? > > - Matt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Re: Underscore domains?
On Fri, Dec 21, 2018 at 06:14:19PM -0800, Lewis Resmond via dev-security-policy wrote: > I have read the debate about the underscores and I understand that they were > never intended in the RFC. > But I wonder, does it now mean that people who have a domain name with > underscore will never be able to receive a certificate again? There are registered domains -- as in, actual eTLD+1 names -- that have underscores in them? - Matt ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
Underscore domains?
Hello, I have read the debate about the underscores and I understand that they were never intended in the RFC. But I wonder, does it now mean that people who have a domain name with underscore will never be able to receive a certificate again? I'm just being curious. ___ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy