[cabf_validation] SRVNames in subjectAltNames and nameConstraints

Ryan Sleevi sleevi at google.com
Thu Apr 22 22:17:51 UTC 2021

As a follow-up to our call today, I filed
https://github.com/cabforum/servercert/issues/268 to capture the discussion
we had around SRVNames, so that we can explore steps going forward.

While it is not a priority of Google to add support for SRVNames, relative
to the other important work still to be done in the Forum, we're broadly
supportive of the goal.

Our proposed sequencing is this:

   1. A transition path so that existing technically constrained sub-CAs,
   which are not constrained by SRVNames, are phased out (e.g. revoked and
   replaced in time)
   2. Support for SRVNames added to browser clients. This cannot happen
   before 1, due to the security risk otherwise.
   3. Support for CAs issuing SRVNames
      - At a minimum, CAs MUST validate the Domain Portion in a manner
      consistent with validating a dNSName
      - It's unclear what policies should be developed for service names,
      particularly for those using the "host-based" demonstrations of control
      (e.g. - ALPN and .well-known. One path might be
mapping the
      port used for the validation to the IANA well-known port
registry (e.g. 80
      or 443 becomes "http" SRVName, 465/587 becomes "smtp", etc)

Since there was a desire to keep discussing, I said I'd file a GitHub issue
and discuss on list.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/validation/attachments/20210422/51233a5e/attachment.html>

More information about the Validation mailing list