[Servercert-wg] [cabf_validation] Underscores, DNSNames, and SRVNames

Mon Oct 22 08:25:42 MST 2018

Could you provide any links to IETF discussions that you believe could help
provide better clarity?

I tried to demonstrate via source documents. If you believe these documents
are incorrect with dates, this seems like it would be a significant issue
for the IETF to resolve rather rapidly. If you believe there are additional
source documents that should be considered, that would support the claim,
I'd welcome them as an opportunity to understand why you believe the
underscores issue is somehow particular to RFC 5280 in 2008, considering
the language was introduced and incorporated a decade and two documents
prior.

On Mon, Oct 22, 2018 at 11:16 AM Phillip <philliph at comodo.com> wrote:

> I was there.
>
>
>
> You were not
>
>
>
> You have no idea what you are talking about.
>
>
>
>
>
> *From:* Ryan Sleevi <sleevi at google.com>
> *Sent:* Monday, October 22, 2018 10:48 AM
> *To:* Phillip <philliph at comodo.com>
> *Cc:* servercert-wg at cabforum.org; Wayne Thayer <wthayer at mozilla.com>
> *Subject:* Re: [Servercert-wg] [cabf_validation] Underscores, DNSNames,
> and SRVNames
>
>
>
>
>
> On Mon, Oct 22, 2018 at 10:22 AM Phillip <philliph at comodo.com> wrote:
>
> RFC 5280 was issued in 2008 when the DNS community had a very different
> understanding of the role of underscores.
>
>
>
> There was a faction devoted to the peculiar notion that the way to deploy
> DNSSEC was to force use of DNS features that would require the use of new
> RRs as a means of accelerating DNS deployment. That strategy is now moot.
>
>
>
> That's an interesting, but rather completely ahistorical and demonstrably
> incorrect take, on the provenance and relevance of that requirement, which
> of course undermines the entirity of your argument.
>
>
>
> Said language originates in RFC 2459, published as such in 1999, although
> the relevant section itself with respect to preferred name syntax dating to
> the changes made in
> https://tools.ietf.org/html/draft-ietf-pkix-ipki-part1-08 (in 1998) in
> response to a lack of clarity in the language in previous drafts.
>
>
>
> Considering this, it seems entirely wrong to suggest it was a "mistake",
> especially since the proposed specification of SRVName is already
> encapsulated in RFC 4985, developed by Microsoft in 2007.
>
>
>
> If your view is that "The IETF wasn't thinking about this SRVName stuff in
> 2008", that too can be demonstrated as false, considering
> https://tools.ietf.org/html/draft-ietf-pkix-srvsan-00 was dated 2005.
>
>
>
> So it would be woefully mistaken to suggest it was a "mistake" or
> oversight, and equally mistaken to suggest that it's somehow necessary for
> the CA/Browser Forum to deliberately introduce security and compatibility
> issues in pursuit of new certificate issuance opportunities.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181022/fa48c365/attachment.html>