Rob,
You made several good points that address the concerns I raised. If the
pre-cert format is NOT a cert
(or a TBScertificate), then the syntax specified in 5280 and its
predecessors (and X.509)
don't strictly apply. I forgot, what is the source of the CMS object
format we decided upon.
I also checked with one of the authors of 2459 and he agreed that we
always thought in terms
of "*" as _the_ wildcard character, but that since we didn't say so
explicitly, there is no
basis for rejecting "?" or another character. I do suggest that the WG
coordinate with some
DNS experts to see what they think about our use of non-DNS characters
in what is a DNS
name pattern matching context, and whether they have a preference for
any specific character.
The distinction that you made between the semantics of "*" and the
intended semantics
for "PRIVATE" was one I had not realized . Specifically, you noted that
"*" matches
any labal whereas "?" is intended to match only one (redacted) label.
That seems like
a good reason to us a different character, but it also raises the
question of how
a Monitor or TLS client is supposed to enforce this requirement. Do you
envision these clients
remembering every cert that they encounter that matches a redacted
pre-cert, and check to
see if a CA has issue two certs with different values for a redacted DNS
label? if not, why
state this as a requirement?
Steve
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
