[Servercert-wg] [cabf_validation] Underscores, DNSNames, and SRVNames

Mon Oct 22 09:30:19 MST 2018

It would greatly benefit this discussion if you could provide us with this
non-public documentation (with permission of course) backing up this
assertion. I'm not calling you a liar. It's more to do with why certain
things happened and what led up to these decisions being made.

On Mon, Oct 22, 2018 at 4:52 PM Phillip via Servercert-wg <
servercert-wg at cabforum.org> wrote:

> https://tools.ietf.org/html/rfc5507
>
>
>
> Note section 5 in particular.
>
>
>
> Since I was at the center of those discussions as Principal Scientist of
> VeriSign, I had access to much that was not public. The Design Choices RFC
> was issued in an attempt to discourage the approach used in Bonjour which
> was already becoming a de facto standard.
>
>
>
> This is why RFC 6763 only appeared in 2013.
>
>
>
>
>
> *From:* Ryan Sleevi <sleevi at google.com>
> *Sent:* Monday, October 22, 2018 11:26 AM
> *To:* Phillip <philliph at comodo.com>
> *Cc:* servercert-wg at cabforum.org; Wayne Thayer <wthayer at mozilla.com>
> *Subject:* Re: [Servercert-wg] [cabf_validation] Underscores, DNSNames,
> and SRVNames
>
>
>
> Could you provide any links to IETF discussions that you believe could
> help provide better clarity?
>
>
>
> I tried to demonstrate via source documents. If you believe these
> documents are incorrect with dates, this seems like it would be a
> significant issue for the IETF to resolve rather rapidly. If you believe
> there are additional source documents that should be considered, that would
> support the claim, I'd welcome them as an opportunity to understand why you
> believe the underscores issue is somehow particular to RFC 5280 in 2008,
> considering the language was introduced and incorporated a decade and two
> documents prior.
>
>
>
> On Mon, Oct 22, 2018 at 11:16 AM Phillip <philliph at comodo.com> wrote:
>
> I was there.
>
>
>
> You were not
>
>
>
> You have no idea what you are talking about.
>
>
>
>
>
> *From:* Ryan Sleevi <sleevi at google.com>
> *Sent:* Monday, October 22, 2018 10:48 AM
> *To:* Phillip <philliph at comodo.com>
> *Cc:* servercert-wg at cabforum.org; Wayne Thayer <wthayer at mozilla.com>
> *Subject:* Re: [Servercert-wg] [cabf_validation] Underscores, DNSNames,
> and SRVNames
>
>
>
>
>
> On Mon, Oct 22, 2018 at 10:22 AM Phillip <philliph at comodo.com> wrote:
>
> RFC 5280 was issued in 2008 when the DNS community had a very different
> understanding of the role of underscores.
>
>
>
> There was a faction devoted to the peculiar notion that the way to deploy
> DNSSEC was to force use of DNS features that would require the use of new
> RRs as a means of accelerating DNS deployment. That strategy is now moot.
>
>
>
> That's an interesting, but rather completely ahistorical and demonstrably
> incorrect take, on the provenance and relevance of that requirement, which
> of course undermines the entirity of your argument.
>
>
>
> Said language originates in RFC 2459, published as such in 1999, although
> the relevant section itself with respect to preferred name syntax dating to
> the changes made in
> https://tools.ietf.org/html/draft-ietf-pkix-ipki-part1-08 (in 1998) in
> response to a lack of clarity in the language in previous drafts.
>
>
>
> Considering this, it seems entirely wrong to suggest it was a "mistake",
> especially since the proposed specification of SRVName is already
> encapsulated in RFC 4985, developed by Microsoft in 2007.
>
>
>
> If your view is that "The IETF wasn't thinking about this SRVName stuff in
> 2008", that too can be demonstrated as false, considering
> https://tools.ietf.org/html/draft-ietf-pkix-srvsan-00 was dated 2005.
>
>
>
> So it would be woefully mistaken to suggest it was a "mistake" or
> oversight, and equally mistaken to suggest that it's somehow necessary for
> the CA/Browser Forum to deliberately introduce security and compatibility
> issues in pursuit of new certificate issuance opportunities.
>
> _______________________________________________
> Servercert-wg mailing list
> Servercert-wg at cabforum.org
> http://cabforum.org/mailman/listinfo/servercert-wg
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/servercert-wg/attachments/20181022/96215bf9/attachment.html>