On Fri 2015-01-30 15:13:21 -0500, Peter Bowen wrote:
> On Fri, Jan 30, 2015 at 11:28 AM, Daniel Kahn Gillmor
> <[email protected]> wrote:
>> On Fri 2015-01-30 13:28:17 -0500, Salz, Rich wrote:
>>>> Do you think we should support redacting (for example)
>>>> "public.secret.example.com" to "public.?.example.com" ?
>>>
>>> No. Maybe later if there is a strong demand for this. YAGNI, right?
>>
>> Barring anyone else speaking up with a clear use case, i'm convinced by
>> Scott and Rich that we don't need this -- so ? redactions are only
>> allowable at the front of the domain name. No redacted labels can be
>> higher in the DNS hierarchy than any non-redacted label.
>
> Is "?" allowed to substitute for "*". I would prefer not, which
> means that it might be reasonable to have "*.?.example.com" (assuming
> ?.example.com is reasonable).
Thanks for raising this, Peter. Can you explain why you think it
shouldn't be OK for "?" to substitute for "*"?
I'm trying to think through the different attack scenarios that CT is
intended to mitigate (or at least expose), and the rationales for label
redaction, and i'm not seeing why "?" shouldn't be able to stand in for
the wildcard.
--dkg
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
