[cabfpub] Ballot 184 - SRVnames

Jeremy Rowley jeremy.rowley at digicert.com
Thu Oct 19 07:44:54 MST 2017

Hey Gerv, - I think the intent was that they don't apply, but the language is
definitely unclear. From the RFC:

"SRVName restrictions are expressed as a complete SRVName
   (_mail.example.com), just a service name (_mail), or just as a DNS
   name (example.com).  The name restriction of the service name part
   and the DNS name part of SRVName are handled separately."

This seems to indicate SRV restrictions are something new compared to domain
name constraints. I suppose it's largely up to UA's implementing the RFC at
this point.

Still looking for two endorsers.


Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org]
Sent: Tuesday, October 10, 2017 5:26 AM
To: Jeremy Rowley <jeremy.rowley at digicert.com>; CA/Browser Forum Public
Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Ballot 184 - SRVnames

On 04/10/17 06:38, Jeremy Rowley via Public wrote:
> Probably time to finish this ballot off.  This is the last version I
> have, slightly modified to remove the 822 and other language.  Thoughts?

Do DNSName name constraints in a TCSC apply to the DNS name part of the
SVRName? I've read section 4 of https://tools.ietf.org/html/rfc4985 but it
doesn't seem clear to me whether the restrictions specced there are a totally
new sort of restriction, or whether they leverage the existing DNS name
restriction abilities for the DNS name part and just add the ability to also
restrict the service name.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4984 bytes
Desc: not available
URL: <http://cabforum.org/pipermail/public/attachments/20171019/8cfeec87/attachment-0001.p7s>

More information about the Public mailing list