#54: Simplify name redaction
Comment (by [email protected]): Alternative "redactedLabels" extension proposal: Instead of the SEQUENCE OF INTEGERs extension in the current draft, I think we should define an extension that's more similar in syntax to the RFC5280 nameConstraints extension. Instead of "permittedSubtrees" and/or "excludedSubtrees", we'd be listing "redactedSubtrees". I think this approach would reduce the "risk of misalignment". Here's a rough example of how it could work... Precertificate: Subject:CN = ?.example.com SAN:dNSName = ?.example.com SAN:dNSName = ?.example.com SAN:dNSName = www.example.com SAN:dNSName = ?.top-secret.com SAN:dNSName = ?.top-secret.com SAN:dNSName = top-secret.com Certificate: Subject:CN = this-is-redacted-1.example.com SAN:dNSName = this-is-redacted-1.example.com SAN:dNSName = this-is-redacted-2.example.com SAN:dNSName = www.example.com SAN:dNSName = this-is-redacted-3.top-secret.com SAN:dNSName = this-is-redacted-4.top-secret.com SAN:dNSName = top-secret.com Extension:redactedSubtrees = this-is-redacted-1.example.com this-is-redacted-2.example.com top-secret.com -- -------------------------------------+------------------------------------- Reporter: | Owner: [email protected] | [email protected] Type: enhancement | Status: new Priority: major | Milestone: Component: rfc6962-bis | Version: Severity: - | Resolution: Keywords: | -------------------------------------+------------------------------------- Ticket URL: <http://trac.tools.ietf.org/wg/trans/trac/ticket/54#comment:3> trans <http://tools.ietf.org/trans/> _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
