Although I just realized you're probably wondering if you can substitute "?" of "*" - so *.example.com would become ?.example.com.
It's a good question. I think there's real value in knowing whether a wildcard cert was issued over a non-wildcard. I'd actually like the rfc to say you can't substitute ? for a wildcard character as you're essentially substituting ? for an unlimited number of based domain names. -----Original Message----- From: Trans [mailto:[email protected]] On Behalf Of Jeremy Rowley Sent: Friday, January 30, 2015 1:36 PM To: Peter Bowen; Daniel Kahn Gillmor Cc: Scott R. Corzine; Salz, Rich; Rob Stradling; trans Subject: Re: [Trans] [trans] #54 (rfc6962-bis): Simplify name redaction * isn't a redacted label so the example (*.?.example.com) wouldn't be allowed. Also, the CAB Forum prohibits * characters except as the left most label in the cert. Therefore, you would never have an instance with both a "?" and a "*' in the same cert. -----Original Message----- From: Trans [mailto:[email protected]] On Behalf Of Peter Bowen Sent: Friday, January 30, 2015 1:13 PM To: Daniel Kahn Gillmor Cc: Scott R. Corzine; Salz, Rich; Rob Stradling; trans Subject: Re: [Trans] [trans] #54 (rfc6962-bis): Simplify name redaction On Fri, Jan 30, 2015 at 11:28 AM, Daniel Kahn Gillmor <[email protected]> wrote: > On Fri 2015-01-30 13:28:17 -0500, Salz, Rich wrote: >>> Do you think we should support redacting (for example) >>> "public.secret.example.com" to "public.?.example.com" ? >> >> No. Maybe later if there is a strong demand for this. YAGNI, right? > > Barring anyone else speaking up with a clear use case, i'm convinced > by Scott and Rich that we don't need this -- so ? redactions are only > allowable at the front of the domain name. No redacted labels can be > higher in the DNS hierarchy than any non-redacted label. Is "?" allowed to substitute for "*". I would prefer not, which means that it might be reasonable to have "*.?.example.com" (assuming ?.example.com is reasonable). Thanks, Peter _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
