[cabf_validation] Underscores, DNSNames, and SRVNames

Ryan Sleevi sleevi at google.com
Mon Oct 15 19:23:15 MST 2018

On Mon, Oct 15, 2018 at 9:53 PM Richard Smith <rich at comodoca.com> wrote:

> Ryan I mostly agree with you except that the underscore issue is fairly
> esoteric and Jeremy has already pointed out that at least one of those RFCs
> is neither clear nor unambiguous.

Only by ignoring the text that's there. Which if we accept that as a basis
for not being clear and ambiguous, then no amount of text we add will be
sufficient, because the CA will always be able to claim it wasn't "clear
enough" that the sentence following was in fact a restriction.

> If there is a point that we consider critical to a CAs operation let’s
> clarify it and throw it in the BR as well, especially since I am also
> reasonably confident that most auditors have not spent significant time
> spelunking the RFCs so if it’s not codified in the BR and the CA hasn’t
> clearly stated it in their CP the auditor will likely miss it if we don’t
> make it clear.

If a CA can't do this, they shouldn't be a CA. Fundamentally everything
they do is called into question. You cannot have an exact syntax
representation and restricted character set and argue it's confusing
without being conflated with incompetence. I know that's wrong words, but
that's the reality - there's no way you can look at the ABNF grammar and
say "You know, maybe this isn't a grammar, maybe it's just a suggestion".

That's like arguing RFC 2119 is really RFC 6919.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://cabforum.org/pipermail/validation/attachments/20181015/ee3a65a5/attachment.html>

More information about the Validation mailing list