#54: Simplify name redaction The name redaction mechanism, as currently defined, does not reveal how many labels have been redacted. This seems unnecessary. If we're happy to reveal the number of redacted labels, then we could simplify the name redaction mechanism by... - scrapping the "redactedLabels" Certificate extension (1.3.6.1.4.1.11129.2.4.6). - stating that the literal string "(PRIVATE)" always covers precisely _one_ label.
So for example, if you wanted to redact 3 components, you'd put "SAN:dNSName=(PRIVATE).(PRIVATE).(PRIVATE).mydomain.com" in the Precertificate. To reduce bloat, I think we should also change "(PRIVATE)" to "?". e.g. "SAN:dNSName=?.?.?.mydomain.com" This simplification would make ticket #17 easier to resolve. i.e. We could permit "CN=?.?.?.mydomain.com". When I proposed this on the TRANS list back in September, Eran commented: "+1 to that - seems like it would significantly simplify the implementation of redacted domain name label: The risk of misalignment between the values in the extension that counts the number of redacted subdomains for each SAN and the actual SANs goes away." -- -------------------------------------+------------------------------------- Reporter: | Owner: draft-ietf-trans- [email protected] | [email protected] Type: enhancement | Status: new Priority: major | Milestone: Component: rfc6962-bis | Version: Severity: - | Keywords: -------------------------------------+------------------------------------- Ticket URL: <http://trac.tools.ietf.org/wg/trans/trac/ticket/54> trans <http://tools.ietf.org/trans/> _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
