[Servercert-wg] [cabf_validation] Underscores, DNSNames, and SRVNames
Phillip
philliph at comodo.com
Mon Oct 22 08:16:10 MST 2018
I was there.
You were not
You have no idea what you are talking about.
From: Ryan Sleevi <sleevi at google.com>
Sent: Monday, October 22, 2018 10:48 AM
To: Phillip <philliph at comodo.com>
Cc: servercert-wg at cabforum.org; Wayne Thayer <wthayer at mozilla.com>
Subject: Re: [Servercert-wg] [cabf_validation] Underscores, DNSNames, and SRVNames
On Mon, Oct 22, 2018 at 10:22 AM Phillip <philliph at comodo.com <mailto:philliph at comodo.com> > wrote:
RFC 5280 was issued in 2008 when the DNS community had a very different understanding of the role of underscores.
There was a faction devoted to the peculiar notion that the way to deploy DNSSEC was to force use of DNS features that would require the use of new RRs as a means of accelerating DNS deployment. That strategy is now moot.
That's an interesting, but rather completely ahistorical and demonstrably incorrect take, on the provenance and relevance of that requirement, which of course undermines the entirity of your argument.
Said language originates in RFC 2459, published as such in 1999, although the relevant section itself with respect to preferred name syntax dating to the changes made in https://tools.ietf.org/html/draft-ietf-pkix-ipki-part1-08 (in 1998) in response to a lack of clarity in the language in previous drafts.
Considering this, it seems entirely wrong to suggest it was a "mistake", especially since the proposed specification of SRVName is already encapsulated in RFC 4985, developed by Microsoft in 2007.
If your view is that "The IETF wasn't thinking about this SRVName stuff in 2008", that too can be demonstrated as false, considering https://tools.ietf.org/html/draft-ietf-pkix-srvsan-00 was dated 2005.
So it would be woefully mistaken to suggest it was a "mistake" or oversight, and equally mistaken to suggest that it's somehow necessary for the CA/Browser Forum to deliberately introduce security and compatibility issues in pursuit of new certificate issuance opportunities.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181022/1835b737/attachment.html>
More information about the Servercert-wg
mailing list