On Mon, May 16, 2022 at 7:47 AM Peter Thomassen <[email protected]> wrote:
> FWIW, the notion is already codified in RFC 7489 (Section 3.2) and RFC > 9091 (in the title, albeit experimental). Yes, doubly unfortunate, as the DBOUND WG can attest ;) Sure. However, if the relevant part of the DNS space is, at the time of > certificate issuance, separated into different realms of authority (e.g., > as indicated by a PSL entry), NB: the PSL does not indicate this separation of authority. This is an example of the problem DBOUND was tackling, in which different use cases and needs were projected onto the PSL, but not necessarily what the PSL reflected. > The requirement of public suffix separation is _primarily_ a holdover > from when every validation method was treated equally by CAs (e.g. the use > of HTTP to approve a wildcard domain, without demonstrating DNS-based > control). With the new separations that restrict such broadening, > > Which? The Baseline Requirements, and the limits on what methods are suitable to authorize an Authorization Domain Name and Wildcard. The methods, and their limitations, are discussed in 3.2.2.4 However, this is all policy, and arguably out of scope here. Even the PSL reflects a policy-based approach, due to the many versions of such lists, either chronological from a single source or, quite commonly, local policy based modifications and adjustments. So there’s no value to be derived in referencing, if only because it’s an unstable and subjective base to begin with.
_______________________________________________ Acme mailing list [email protected] https://www.ietf.org/mailman/listinfo/acme
