On Tue, Jul 30, 2019 at 11:16:25PM -0700, Jim Fenton wrote: > The RFC 7672 definition of Reference Identifier includes the CN-ID, so it > would be more consistent to include it when referencing 6125 as well.
For the record, RFC7672 has aged a bit since ~2014 when most of it was written, so at some point support for CN-ID could be reconsidered. In that light, I took a look at the certificates currently live on MX hosts found by the DANE survey, and of 854 certificates on MX hosts that use DANE-TA records (for which name checks are in scope) 22 have CN-ID and no SAN. That may be too high a rate to pull the plug just yet. :-( One notable example is the state of Bavaria: bayern.de. IN MX 10 mail.bayern.de. ; NoError AD=1 _25._tcp.mail.bayern.de. IN TLSA 2 0 1 32a2bc1d515cdbc412b62b47a1cccf2bb1b8e3ef309f982458d3a7c61797422a ; NoError AD=1 cert sha256 [matched] <- 2 0 1 32a2bc1d515cdbc412b62b47a1cccf2bb1b8e3ef309f982458d3a7c61797422a cert sha256 [matched] <- 2 0 1 32a2bc1d515cdbc412b62b47a1cccf2bb1b8e3ef309f982458d3a7c61797422a which sports a V1 cert (no extensions, hence no SANs). The issuer looks like a private CA: C = DE ST = Bayern O = Freistaat Bayern CN = Bayerische DANE-CA -- Viktor. _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta