[cabfpub] Ballot 184 - SRVnames
jeremy.rowley at digicert.com
Thu Oct 19 07:44:54 MST 2017
Hey Gerv, - I think the intent was that they don't apply, but the language is
definitely unclear. From the RFC:
"SRVName restrictions are expressed as a complete SRVName
(_mail.example.com), just a service name (_mail), or just as a DNS
name (example.com). The name restriction of the service name part
and the DNS name part of SRVName are handled separately."
This seems to indicate SRV restrictions are something new compared to domain
name constraints. I suppose it's largely up to UA's implementing the RFC at
Still looking for two endorsers.
From: Gervase Markham [mailto:gerv at mozilla.org]
Sent: Tuesday, October 10, 2017 5:26 AM
To: Jeremy Rowley <jeremy.rowley at digicert.com>; CA/Browser Forum Public
Discussion List <public at cabforum.org>
Subject: Re: [cabfpub] Ballot 184 - SRVnames
On 04/10/17 06:38, Jeremy Rowley via Public wrote:
> Probably time to finish this ballot off. This is the last version I
> have, slightly modified to remove the 822 and other language. Thoughts?
Do DNSName name constraints in a TCSC apply to the DNS name part of the
SVRName? I've read section 4 of https://tools.ietf.org/html/rfc4985 but it
doesn't seem clear to me whether the restrictions specced there are a totally
new sort of restriction, or whether they leverage the existing DNS name
restriction abilities for the DNS name part and just add the ability to also
restrict the service name.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4984 bytes
Desc: not available
More information about the Public