Rob,
That seems like a good idea. Did you have any particular DNS experts
in mind?
I'd ask Joel Jaeggli <[email protected]> for suggestions.
if not, why state this as a requirement?
I don't think the current text does state this as a requirement.
Your message to me cited this as a reason for not using "*" in this
context. If the different
semantics for PRIVATE/? are not a requirement, that argument isn't
applicable. Color me confused.
If there are multiple certs (which may or may not contain different
unredacted domain label(s)) that match one redacted precert, then
those certs will all share the same Serial Number and be issued by the
same CA.
RFC5280 already disallows this, so 6962-bis doesn't also need to
disallow it. :-)
Can you cite the part of 5280 that you feel is applicable here? 4.1.2.2
notes that a cert serial number
uniquely identifies a cert, which doesn't seem compatible with your comment.
Hmmm...
Should we specify that the redaction label (i.e. "(PRIVATE)" or "?" or
whatever the DNS experts prefer) MUST NOT match "*" in the cert?
I can't think of a legitimate reason to hide wildcard certs from the log.
I agree that wildcard certs should be logged.
Steve
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
