I agree that there isn't much to gain with matching "?" to each character. (Would you ever want to do "t?psecret.exmaple.com"?)
Option 4 is preferable since it indicates a label exists. Plus, the document referenced (the Federal Glossary of Telecommunication Terms) indicates you can use "?" to reference an entire string as long as that is specified. As long as the meaning of the "?" character is clear in the RFC, I don't think we're breaking established conventions. -----Original Message----- From: Rob Stradling [mailto:[email protected]] Sent: Friday, January 30, 2015 9:09 AM To: Daniel Kahn Gillmor; [email protected]; Jeremy Rowley Subject: Re: [Trans] [trans] #54 (rfc6962-bis): Simplify name redaction On 29/01/15 21:41, Daniel Kahn Gillmor wrote: > On Wed 2015-01-28 18:19:58 -0500, Rob Stradling wrote: <Useful explanation snipped - thanks DKG> >> Or if not, is there any reason to prefer option 1 over option 2, or >> vice versa? > > I think you're right, we should go for option 2 (also, it's the > simplest and easiest to explain, i think). On 28/01/15 23:50, Jeremy Rowley wrote: > I'd prefer option 2 for simplicity and because I think the CT log > should reflect the number of levels redacted. Do you gain much > advantage if topsecret.secret.example.com is redacted as > (PRIVATE).example.com v. ?.?.example.com. I think the second is more > straight forward and gives more insight on what certs are out there. OK, let's discard option 1 and option 3. Before we settle on option 2, here's an option 4 to consider... 4. "?" matching =1 character in a redacted label. Examples: "dkg.example.net" would be redacted as "???.example.net". "???.example.net" cannot match "jeremy.example.net", because the label lengths are different (i.e. 3 != 6). However, "???.example.net" might match "rob.example.net". "topsecret.secret.example.com" would be redacted as "?????????.??????.example.com". I don't think there's anything to gain from redacting the length of a label, so I prefer option 4. Any thoughts? AFAICT, matching =1 character seem marginally more consistent with other uses of "?" as a wildcard character: http://en.wikipedia.org/wiki/Wildcard_character "In Unix-like and DOS operating systems, the question mark ("?") matches exactly one character;" "In Microsoft Access, wildcard characters can be used in "LIKE" expressions; the asterisk sign (*) matches zero or more characters, and the question mark (?) matches a single character." -- Rob Stradling Senior Research & Development Scientist COMODO - Creating Trust Online _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
