[Servercert-wg] [cabf_validation] Underscores, DNSNames, and SRVNames

Ryan Sleevi sleevi at google.com
Mon Oct 22 07:47:42 MST 2018


On Mon, Oct 22, 2018 at 10:22 AM Phillip <philliph at comodo.com> wrote:

> RFC 5280 was issued in 2008 when the DNS community had a very different
> understanding of the role of underscores.
>

>
> There was a faction devoted to the peculiar notion that the way to deploy
> DNSSEC was to force use of DNS features that would require the use of new
> RRs as a means of accelerating DNS deployment. That strategy is now moot.
>

That's an interesting, but rather completely ahistorical and demonstrably
incorrect take, on the provenance and relevance of that requirement, which
of course undermines the entirity of your argument.

Said language originates in RFC 2459, published as such in 1999, although
the relevant section itself with respect to preferred name syntax dating to
the changes made in
https://tools.ietf.org/html/draft-ietf-pkix-ipki-part1-08 (in 1998) in
response to a lack of clarity in the language in previous drafts.

Considering this, it seems entirely wrong to suggest it was a "mistake",
especially since the proposed specification of SRVName is already
encapsulated in RFC 4985, developed by Microsoft in 2007.

If your view is that "The IETF wasn't thinking about this SRVName stuff in
2008", that too can be demonstrated as false, considering
https://tools.ietf.org/html/draft-ietf-pkix-srvsan-00 was dated 2005.

So it would be woefully mistaken to suggest it was a "mistake" or
oversight, and equally mistaken to suggest that it's somehow necessary for
the CA/Browser Forum to deliberately introduce security and compatibility
issues in pursuit of new certificate issuance opportunities.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181022/5ee90a59/attachment-0001.html>


More information about the Servercert-wg mailing list