#60: The number of redacted labels should be revealed in the Precertificate
The current -bis draft says:
'When creating a Precertificate, the CA MAY substitute one or more of
the complete leftmost labels in each DNS-ID with the literal string
"(PRIVATE)".'
In a recent thread on the list there was clear support for the idea of
requiring a separate token for each redacted label, instead of permitting
one token to cover several redacted labels.
Also, it would be nice to use a token that is shorter than "(PRIVATE)".
Steve Kent has asked that we consult some DNS experts before we make a
final decision on what the token will be. I'll kick off some discussion
on that and report back to this ticket. For now, my proposal is "?".
Quick comparison of how to redact 2 labels from "a.b.example.com":
Current -bis draft: (PRIVATE).example.com
This proposal: ?.?.example.com
--
-------------------------------------+-------------------------------------
Reporter: | Owner: draft-ietf-trans-
[email protected] | [email protected]
Type: enhancement | Status: new
Priority: major | Milestone:
Component: rfc6962-bis | Version:
Severity: - | Keywords:
-------------------------------------+-------------------------------------
Ticket URL: <http://trac.tools.ietf.org/wg/trans/trac/ticket/60>
trans <http://tools.ietf.org/trans/>
_______________________________________________
Trans mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/trans
