[cabfpub] Ballot 184 - SRVnames

Peter Bowen pzb at amzn.com
Wed Nov 15 17:55:02 UTC 2017



> On Nov 15, 2017, at 9:46 AM, Gervase Markham via Public <public at cabforum.org> wrote:
> 
> On 15/11/17 09:38, Ryan Sleevi wrote:
>> I gave an option immediately preceding the text you snipped, along with
>> the trade-offs such options come with. 
> 
> So you are suggesting we don't enable SRVnames until someone has specced
> such an extension and it's been implemented?

Another option is to just forbid CAs with DNS name constraints from issuing SRVname certificates unless they have SRVname constraints defined as well.  That doesn’t change things compared to today — the only thing preventing them from issuing SRVname certificates is the BRs.

Thanks,
Peter


More information about the Public mailing list