Hi Ben > On 23 Jun 2020, at 05:31, Benjamin Kaduk <ka...@mit.edu> wrote: > > Russ has been helping reach out to more of the PKIX community; one > suggestion that came up so far is to consider defining a dedicated URI > scheme and using a uniformResourceIdentifier SAN -- did the WG consider > that in the initial discussions?
I don’t know if the group looked at this, but I can say that from a public CA standpoint, it’s not much different from otherName because there is a requirement to validate the name. A new URI scheme would require a new resolution mechanism. Perhaps that is needed as part of ACP anyway. The one value of URI is that it is easier to configure in some of the tooling like OpenSSL. What disturbs me about all of this is that public CAs will accept otherNames and produce garbage out. That’s just asking for a boot to the head* from a vulnerability perspective. Eliot *https://www.youtube.com/watch?v=-V1Mn5-xF0w <https://www.youtube.com/watch?v=-V1Mn5-xF0w> ** (And one for Jenny and the whimp)
_______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima
