Ah. Sorry about that. I agree that no CA can issue those yet. -----Original Message----- From: Peter Bowen [mailto:pzbo...@gmail.com] Sent: Tuesday, August 15, 2017 9:04 AM To: Jeremy Rowley <jeremy.row...@digicert.com> Cc: Gervase Markham <g...@mozilla.org>; Ryan Sleevi <r...@sleevi.com>; Peter Bowen <p...@amzn.com>; mozilla-dev-security-policy <mozilla-dev-security-pol...@lists.mozilla.org> Subject: Re: SRVNames in name constraints
On Tue, Aug 15, 2017 at 8:01 AM, Jeremy Rowley <jeremy.row...@digicert.com> wrote: > I realize use of underscore characters was been debated and explained > at the CAB Forum, but I think it's pretty evident (based on the certs > issued and responses to Ballot 202) that not all CAs believe certs for > SRVNames are prohibited. I realize the rationale against underscores > is that 5280 requires a valid host name for DNS and X.509 does not > necessarily permit underscores, but it's not explicitly stated. Ballot > 202 went a long way towards clarification on when underscores are > permitted, but that failed, creating all new confusion on the issue. > Any CA not paying careful attention to the discussion and looking at > only the results, would probably believe SRVNames are permitted as > long as the entry is in SAN:dNSName instead of otherName. Jeremy, I was assuming the definition of "SRVname" meant an otherName type entry. Obviously a dNSName of _xmpp.example.com would have name constraints applied, so I don't think that there is an issue there. Thanks, Peter
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy