[cabf_validation] [EXTERNAL] SRVNames in subjectAltNames and nameConstraints
Ryan Sleevi
sleevi at google.com
Tue Jun 1 14:22:17 UTC 2021
Hi Paul,
It took several reads of your email to make sense of the problem you're
trying to solve. It might make sense to put that up-front.
Your understanding of SRVNames is not necessarily correct, unfortunately.
The wording of 4985 is a bit ambiguous with respect to the "." zone (the
DNS root), and whether it requires a hostname be expressed when it's not
expressing a service name or SRVName. As a consequence, the only
constraining is done through permission - similar to URIs and RFC 822.
I was tackling this with the profiles work, and haven't updated the draft
to reflect this (i.e. the current branch is buggy and says use zero-length
SRVName, which is what you should *not* do to get the desired result)
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20210601/c3a50001/attachment.html>
More information about the Validation
mailing list