I'd like to come up with a complete list of the open issues related to draft-saintandre-tls-server-id-check. Please reply to this thread with additional open issues, then I will start a separate thread about each.
Here's what I have so far: 1. Why exclude iPAddress from the scope? 2. Why exclude self-signed certs from the scope? 3. Should we forbid wildcards altogether? 4. Should we provide more guidance regarding wildcards? (For example, encourage issuance only for Class 2 certs.) 5. We need to document the security considerations for wildcards. 6. Should we move the text about CNs to a non-normative note? 7. Should we remove the rule about allowing a domain name in the CN only as the leftmost RDN? 8. We need to document the security considerations for CNs. 9. We need to specify how to handle internationalized domain names. (For example, specify IDNA2003 or IDNA2008 or straight punycode or some combination of recommendations.) 10. We need to specify matching rules for the uniformResourceIdentifier SAN. 11. We need to specify matching rules for the SRVName SAN. 12. We need to separate the domain checking rules from the service type checking rules. Anything else? Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
