[Servercert-wg] [cabf_validation] Underscores, DNSNames, and SRVNames

Phillip philliph at comodo.com
Mon Oct 22 08:52:27 MST 2018



Note section 5 in particular.


Since I was at the center of those discussions as Principal Scientist of VeriSign, I had access to much that was not public. The Design Choices RFC was issued in an attempt to discourage the approach used in Bonjour which was already becoming a de facto standard.


This is why RFC 6763 only appeared in 2013.



From: Ryan Sleevi <sleevi at google.com> 
Sent: Monday, October 22, 2018 11:26 AM
To: Phillip <philliph at comodo.com>
Cc: servercert-wg at cabforum.org; Wayne Thayer <wthayer at mozilla.com>
Subject: Re: [Servercert-wg] [cabf_validation] Underscores, DNSNames, and SRVNames


Could you provide any links to IETF discussions that you believe could help provide better clarity?


I tried to demonstrate via source documents. If you believe these documents are incorrect with dates, this seems like it would be a significant issue for the IETF to resolve rather rapidly. If you believe there are additional source documents that should be considered, that would support the claim, I'd welcome them as an opportunity to understand why you believe the underscores issue is somehow particular to RFC 5280 in 2008, considering the language was introduced and incorporated a decade and two documents prior.


On Mon, Oct 22, 2018 at 11:16 AM Phillip <philliph at comodo.com <mailto:philliph at comodo.com> > wrote:

I was there. 


You were not


You have no idea what you are talking about.



From: Ryan Sleevi <sleevi at google.com <mailto:sleevi at google.com> > 
Sent: Monday, October 22, 2018 10:48 AM
To: Phillip <philliph at comodo.com <mailto:philliph at comodo.com> >
Cc: servercert-wg at cabforum.org <mailto:servercert-wg at cabforum.org> ; Wayne Thayer <wthayer at mozilla.com <mailto:wthayer at mozilla.com> >
Subject: Re: [Servercert-wg] [cabf_validation] Underscores, DNSNames, and SRVNames



On Mon, Oct 22, 2018 at 10:22 AM Phillip <philliph at comodo.com <mailto:philliph at comodo.com> > wrote:

RFC 5280 was issued in 2008 when the DNS community had a very different understanding of the role of underscores. 


There was a faction devoted to the peculiar notion that the way to deploy DNSSEC was to force use of DNS features that would require the use of new RRs as a means of accelerating DNS deployment. That strategy is now moot.


That's an interesting, but rather completely ahistorical and demonstrably incorrect take, on the provenance and relevance of that requirement, which of course undermines the entirity of your argument.


Said language originates in RFC 2459, published as such in 1999, although the relevant section itself with respect to preferred name syntax dating to the changes made in https://tools.ietf.org/html/draft-ietf-pkix-ipki-part1-08 (in 1998) in response to a lack of clarity in the language in previous drafts.


Considering this, it seems entirely wrong to suggest it was a "mistake", especially since the proposed specification of SRVName is already encapsulated in RFC 4985, developed by Microsoft in 2007.


If your view is that "The IETF wasn't thinking about this SRVName stuff in 2008", that too can be demonstrated as false, considering https://tools.ietf.org/html/draft-ietf-pkix-srvsan-00 was dated 2005.


So it would be woefully mistaken to suggest it was a "mistake" or oversight, and equally mistaken to suggest that it's somehow necessary for the CA/Browser Forum to deliberately introduce security and compatibility issues in pursuit of new certificate issuance opportunities.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181022/cb3d4597/attachment-0001.html>

More information about the Servercert-wg mailing list