On 29/01/15 21:41, Daniel Kahn Gillmor wrote:
On Wed 2015-01-28 18:19:58 -0500, Rob Stradling wrote:
<Useful explanation snipped - thanks DKG>
Or if not, is there any reason to prefer option 1 over option 2, or vice
versa?
I think you're right, we should go for option 2 (also, it's the
simplest and easiest to explain, i think).
On 28/01/15 23:50, Jeremy Rowley wrote:
I'd prefer option 2 for simplicity and because I think the CT log
should reflect the number of levels redacted. Do you gain much
advantage if topsecret.secret.example.com is redacted as
(PRIVATE).example.com v. ?.?.example.com. I think the second is more
straight forward and gives more insight on what certs are out there.
OK, let's discard option 1 and option 3. Before we settle on option 2,
here's an option 4 to consider...
4. "?" matching =1 character in a redacted label.
Examples:
"dkg.example.net" would be redacted as "???.example.net".
"???.example.net" cannot match "jeremy.example.net", because the label
lengths are different (i.e. 3 != 6).
However, "???.example.net" might match "rob.example.net".
"topsecret.secret.example.com" would be redacted as
"?????????.??????.example.com".
I don't think there's anything to gain from redacting the length of a
label, so I prefer option 4. Any thoughts?
AFAICT, matching =1 character seem marginally more consistent with other
uses of "?" as a wildcard character:
http://en.wikipedia.org/wiki/Wildcard_character
"In Unix-like and DOS operating systems, the question mark ("?") matches
exactly one character;"
"In Microsoft Access, wildcard characters can be used in "LIKE"
expressions; the asterisk sign (*) matches zero or more characters, and
the question mark (?) matches a single character."
--
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
