I'm testing a git-based version of acme-client on OpenBSD 6.0 at the
moment and visually comparing source with that in CVS, but this is
relevant to OpenBSD 6.1 so bear with me here.
In the git version in revokeproc.c about line 237 we see the following
comment following the "Parse the SAN line" text:
we don't allowing removing domains from certificates
This behavior matches what I saw empirically, which is why I went
looking at the source.
Inspection of the OpenBSD CVS source, although it doesn't have that
comment, appears to follow the same logic. I'm still wading through
the ACME protocol spec, but so far I've not seen anything that would
prohibit removal of the domain.
So my question is: Is this behavior something that should be mentioned
in the BUGS section of the man page? Or am I missing something in the
protocol spec?
To be clear, this would exhibit itself if you took a running
configuration of:
domain example.com {
alternative names { secure.example.com www.example.com }
...
}
and changed it to:
domain example.com {
alternative names { www.example.com }
...
}
Devin
