I'm looking for feedback on limiting the name redaction mechanism specified in section 4.2 of RFC6962-bis <https://tools.ietf.org/html/draft-ietf-trans-rfc6962-bis-14#section-4.2>.
My proposal is to allow redaction exactly only of the first DNS-ID in the subjectAltName extension. Right now 6962-bis allows redaction of multiple DNS-IDs by requiring an extension with repeating integer values, each indicating the number of redacted labels in the corresponding DNS-ID entry. I am proposing this to simplify implementing clients - not having loop over one extension, match it with fields in another extension and dealing with the edge cases where there's a mismatch is one less source of bugs. However it may enforce certain limitations on CAs / domain owners that are fundamental to this feature (each redacted domain name will need to be in a separate certificate, for a start, or not being able to redact a CN-ID). Hence feedback is appreciated. Eran
_______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
