On 31/03/14 15:57, Peter Bowen wrote:
On Mon, Mar 31, 2014 at 7:01 AM, Rob Stradling <[email protected]> wrote:
On 31/03/14 14:44, Peter Bowen wrote:
If _completely_hidden_ is the requirement, then I agree that any
option that is no f(x) = 1 (for fixed values of 1) fails.
Why have the long string "(PRIVATE)" at all then? Would a single '?'
not be adequate? I don't think you will ever find '?' in a real
dNSName.
"PRIVATE" seemed a good choice of string literal from the point of view of
explaining the idea clearly, but I'm not bothered what string literal we end
up using.
Why does the length of the string literal concern you?
I guess it does not really matter. I was thinking about the future,
when CT is used for the CDN certificates with hundreds of SANs.
Moving "www" -> "(PRIVATE)" for 200 names increases the size 1200
bytes. Maybe additional size is not a big deal.
"(PRIVATE)" will appear in some Precertificates. Precertificates will
be generated by CAs, stored by CT Logs, and dynamically reconstructed by
TLS Clients.
"(PRIVATE)" will _not_ appear in Server Certificates sent by TLS Servers
to TLS Clients. So if you're concerned about the impact of "(PRIVATE)"
on TLS handshake sizes, you needn't be.
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
