Peter, Rex, and all,
-----Original Message----- >From: Peter Saint-Andre <[email protected]> >Sent: Oct 13, 2010 4:52 PM >To: [email protected] >Subject: Re: [certid] open issue: wildcards in component fragments > >On 10/13/10 3:39 PM, =JeffH wrote: >>> Note that at least two technology communities have forbidden wildcard >>> certificates: >>> >>> 1. RFC 5992 forbids wildcard certificates in the SIP community. >>> >>> 2. The CA/Browser Forum doesn't allow issuance of wildcard certificates >>> under its "Extended Valuation Certificates" profile. >>> >>> So there is some precedent for forbidding wildcard certificates. Is that >>> a best current practice? Should this I-D state that wildcard >>> certificates (of whatever variety) are NOT RECOMMENDED? >> >> >> I'm thinking that the latter is the way to go wrt wildcards. RFC2119 sez.. >> >> 4. SHOULD NOT This phrase, or the phrase "NOT RECOMMENDED" mean that >> there may exist valid reasons in particular circumstances when the >> particular behavior is acceptable or even useful, but the full >> implications should be understood and the case carefully weighed >> before implementing any behavior described with this label. >> >> ..which certainly sounds reasonable for this situation. >> >> Our working copy of -tls-server-id-check (which are trying to pub by end >> of this week) has further clarifications wrt the spec's not outright >> forbidding current practice and various other current specifications, >> thus present wildcard use does not necessarily conflict with such a "NOT >> RECOMMENDED" stance. Plus such a stance aligns better with the EV >> Guidelines, RFC5992, and perhaps other specs going forward. > >Jeff and I have been thinking about this independently today, and it >seems we're going in the same direction. Following Martin Rex's argument >to its logical conclusion has led me to believe that wildcards deserve >to be NOT RECOMMENDED in a best current practice document. I agree completely. > >Peter > >-- >Peter Saint-Andre >https://stpeter.im/ > > >_______________________________________________ >certid mailing list >[email protected] >https://www.ietf.org/mailman/listinfo/certid Regards, Jeffrey A. Williams "Obedience of the law is the greatest freedom" - Abraham Lincoln "Credit should go with the performance of duty and not with what is very often the accident of glory" - Theodore Roosevelt "If the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B is less than PL." United States v. Carroll Towing (159 F.2d 169 [2d Cir. 1947] =============================================================== Updated 1/26/04 CSO/DIR. Internet Network Eng. SR. Eng. Network data security IDNS. div. of Information Network Eng. INEG. INC. ABA member in good standing member ID 01257402 E-Mail [email protected] Phone: 214-244-4827 _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
