Rob,
#54: Simplify name redaction
The name redaction mechanism, as currently defined, does not reveal how
many labels have been redacted. This seems unnecessary. If we're happy
to reveal the number of redacted labels, then we could simplify the name
redaction mechanism by...
- scrapping the "redactedLabels" Certificate extension
(1.3.6.1.4.1.11129.2.4.6).
I think that indicating how many names have been redacted is a good
simplification.
- stating that the literal string "(PRIVATE)" always covers precisely
_one_ label.
Since DNS names are case insensitive, I suggest we not represent a reserved
label in uppercase. It may cause some readers to believe that the label is
special because of its case.
So for example, if you wanted to redact 3 components, you'd put
"SAN:dNSName=(PRIVATE).(PRIVATE).(PRIVATE).mydomain.com" in the
Precertificate.
To reduce bloat, I think we should also change "(PRIVATE)" to "?".
e.g. "SAN:dNSName=?.?.?.mydomain.com"
Is "?" a legal DNS label character? It doesn't seem so as per RFC 1034,
and RFC 5280 cites 1034 as the normative spec for dNSName syntax in
the subjectAltName extension.
Steve
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
