Ryan Sleevi <[email protected]> wrote: > On Mon, Jul 12, 2021 at 4:20 PM Brian Smith <[email protected]> wrote: > > If we get to the part of validation where RFC 6125 is relevant then we > already know the wildcard dNSName subjectAltName entry is valid. Given > that, RFC 6125 just needs to specify how to match, syntactically, a > wildcard against a reference identifier. (I think this is compatible with > what Ryan Sleevi wrote in this thread.) > > Right, I think we agree that 6125bis doesn't need to tackle that, but > it does sound like we disagree why. > > It seems you're in favor of the "fail fail" scenario, which happens > before reaching 6125bis processing, and is rejected for all names > asserted. > > I was arguing for a "fail if used" scenario, where it's only checked > after 6125bis comparisons have happened, and which certificate remains > valid for the other names it asserts. >
I think the important point is that RFC 6125 can specify the syntax of a wildcard, and we can specify how to match a reference ID against it, without having to dive into determining whether the CA should have issued that wildcard and/or what other validation of the wildcard needs to be done. I.e. that further validation happens outside (before, after, or in parallel to) RFC 6125 processing. Cheers, Brian -- https://briansmith.org/
_______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
