On Tue, Aug 15, 2017 at 8:01 AM, Jeremy Rowley <jeremy.row...@digicert.com> wrote: > I realize use of underscore characters was been debated and explained at the > CAB Forum, but I think it's pretty evident (based on the certs issued and > responses to Ballot 202) that not all CAs believe certs for SRVNames are > prohibited. I realize the rationale against underscores is that 5280 > requires a valid host name for DNS and X.509 does not necessarily permit > underscores, but it's not explicitly stated. Ballot 202 went a long way > towards clarification on when underscores are permitted, but that failed, > creating all new confusion on the issue. Any CA not paying careful > attention to the discussion and looking at only the results, would probably > believe SRVNames are permitted as long as the entry is in SAN:dNSName > instead of otherName.
Jeremy, I was assuming the definition of "SRVname" meant an otherName type entry. Obviously a dNSName of _xmpp.example.com would have name constraints applied, so I don't think that there is an issue there. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy