[Servercert-wg] [cabf_validation] Underscores, DNSNames, and SRVNames

Richard Smith rich at comodoca.com
Mon Oct 15 20:02:52 MST 2018

I agree with everything you’re saying. I guess at this point I’m arguing from my own ignorance. I have only a passing familiarity with the RFCs. I’ve browsed through them but I’m not on the technical end so I mostly let Rob worry about RFCs and he mostly let’s me worry about BR and EVG though in fairness he’s more familiar with the latter than I am with the former. But that’s my point I guess. The CA should as an organization have a firm grip on both as well as a number of other bits but no one person is going to have their head wrapped around all the bits so in a case such as this where there is clearly either misunderstanding or disagreement let’s not sit around wasting time in recriminations and coulda shoulda woulda. Instead let’s clearly state the expected behavior in a ballot and put it in the BR so that if nothing else it’s in more than one place and has more eyes on it.

Get Outlook for iOS<https://aka.ms/o0ukef>
From: Ryan Sleevi <sleevi at google.com>
Sent: Monday, October 15, 2018 9:23:15 PM
To: Richard Smith
Cc: CA/Browser Forum Validation WG List; jeremy rowley
Subject: Re: [cabf_validation] Underscores, DNSNames, and SRVNames

On Mon, Oct 15, 2018 at 9:53 PM Richard Smith <rich at comodoca.com<mailto:rich at comodoca.com>> wrote:
Ryan I mostly agree with you except that the underscore issue is fairly esoteric and Jeremy has already pointed out that at least one of those RFCs is neither clear nor unambiguous.

Only by ignoring the text that's there. Which if we accept that as a basis for not being clear and ambiguous, then no amount of text we add will be sufficient, because the CA will always be able to claim it wasn't "clear enough" that the sentence following was in fact a restriction.

If there is a point that we consider critical to a CAs operation let’s clarify it and throw it in the BR as well, especially since I am also reasonably confident that most auditors have not spent significant time spelunking the RFCs so if it’s not codified in the BR and the CA hasn’t clearly stated it in their CP the auditor will likely miss it if we don’t make it clear.

If a CA can't do this, they shouldn't be a CA. Fundamentally everything they do is called into question. You cannot have an exact syntax representation and restricted character set and argue it's confusing without being conflated with incompetence. I know that's wrong words, but that's the reality - there's no way you can look at the ABNF grammar and say "You know, maybe this isn't a grammar, maybe it's just a suggestion".

That's like arguing RFC 2119 is really RFC 6919.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181016/4d5776a2/attachment.html>

More information about the Servercert-wg mailing list