Hi John,
On 02/12/2015 13:42, John R Levine wrote:
But it has to be signed by a CA. If the CA is not happy for you to
assert SRV-ID, it should not include SRV-ID in an issued certificate.
Now I'm really confused. Are you saying the SRV-ID is optional?
I am saying that CAs can't sign what they can't validate. This is
nothing new, the same applies to DNS-ID or CN-ID. So if a CA wants to
sign SRV-ID, it needs a way to validate it.
If so, what's the point of it? In nearly all cases, there's no way
for a CA to tell what SRV-IDs it should allow, so nobody will use them.
Some enterprise CAs or CAs which are also MSPs might be able to validate
SRV-IDs. Also when SRV record points to a subdomain of the right hand
side, CA might treat this as allowed without validation.
(This is in addition to the problems that a large mail host handles
tens of thousands of domains, and the list changes every day.)
Regards,
John Levine, [email protected], Taughannock Networks, Trumansburg NY
Please consider the environment before reading this e-mail.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
