On Tue, Jun 23, 2020 at 5:49 AM Eliot Lear <l...@cisco.com> wrote: > > > On 23 Jun 2020, at 14:01, Eric Rescorla <e...@rtfm.com> wrote: > >> >> I don’t know if the group looked at this, but I can say that from a >> public CA standpoint, it’s not much different from otherName because there >> is a requirement to validate the name. A new URI scheme would require a >> new resolution mechanism. Perhaps that is needed as part of ACP *anyway*. >> The one value of URI is that it is easier to configure in some of the >> tooling like OpenSSL. >> >> What disturbs me about all of this is that public CAs will accept >> otherNames and produce garbage out. That’s just asking for a boot to the >> head* from a vulnerability perspective. >> > > This would at present appear to violate the BRs. S 7.1.4.2.1 says: > > Contents: This extension MUST contain at least one entry. Each entry MUST > be either a dNSName containing the Fully-Qualified Domain Name or an > iPAddress containing the IP address of a server. The CA MUST confirm that > the Applicant controls the Fully-Qualified Domain Name or IP address or has > been granted the right to use it by the Domain Name Registrant or IP > address assignee, as appropriate. > > -Ekr > > > Oh it does the DV. It just adds garbage into the cert :-( >
I'm talking about the second sentence, which requires that the SAN contain only dNSName or IPAddress. -Ekr
_______________________________________________ Anima mailing list Anima@ietf.org https://www.ietf.org/mailman/listinfo/anima
