[Uta] Wildcards

2021-07-08 Thread Salz, Rich
A discussion started on the GitHub repo https://github.com/richsalz/draft-ietf-uta-rfc6125bis about what is allowed for the wildcard character, such as in DNS entries in subjectAltName. I am about to publish a new draft which takes the old adopted “diff” version and does a full version of 6125

[Uta] I-D Action: draft-ietf-uta-rfc6125bis-01.txt

2021-07-08 Thread internet-drafts
A New Internet-Draft is available from the on-line Internet-Drafts directories. This draft is a work item of the Using TLS in Applications WG of the IETF. Title : Representation and Verification of Domain-Based Application Service Identity within Internet Public Key Infrastruc

Re: [Uta] Wildcards

2021-07-08 Thread Alexey Melnikov
Hi Rich, On 08/07/2021 15:12, Salz, Rich wrote: A discussion started on the GitHub repo https://github.com/richsalz/draft-ietf-uta-rfc6125bis about what is allowed for the wildcard character, such as in DNS entries in subjectAltName. 

Re: [Uta] Wildcards

2021-07-08 Thread Peter Saint-Andre
On 7/8/21 9:02 AM, Alexey Melnikov wrote: > Hi Rich, > > On 08/07/2021 15:12, Salz, Rich wrote: >> >> A discussion started on the GitHub repo >> https://github.com/richsalz/draft-ietf-uta-rfc6125bis >> about what is >> allowed for the wildcar

Re: [Uta] Wildcards

2021-07-08 Thread Jim Fenton
On 8 Jul 2021, at 7:12, Salz, Rich wrote: > A discussion started on the GitHub repo > https://github.com/richsalz/draft-ietf-uta-rfc6125bis about what is allowed > for the wildcard character, such as in DNS entries in subjectAltName. I am > about to publish a new draft which takes the old adop

Re: [Uta] Wildcards

2021-07-08 Thread Salz, Rich
In anticipation of consensus around "only * as the left-most label," I created a PR; https://github.com/richsalz/draft-ietf-uta-rfc6125bis/pull/9 ___ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta

Re: [Uta] Wildcards

2021-07-08 Thread Viktor Dukhovni
On Thu, Jul 08, 2021 at 02:12:51PM +, Salz, Rich wrote: > A discussion started on the GitHub repo > https://github.com/richsalz/draft-ietf-uta-rfc6125bis about what is > allowed for the wildcard character, such as in DNS entries in > subjectAltName. I am about to publish a new draft which tak

Re: [Uta] Wildcards

2021-07-08 Thread Peter Saint-Andre
On 7/8/21 1:41 PM, Viktor Dukhovni wrote: > On Thu, Jul 08, 2021 at 02:12:51PM +, Salz, Rich wrote: > >> A discussion started on the GitHub repo >> https://github.com/richsalz/draft-ietf-uta-rfc6125bis about what is >> allowed for the wildcard character, such as in DNS entries in >> subjectAlt

Re: [Uta] Wildcards

2021-07-08 Thread Viktor Dukhovni
On Thu, Jul 08, 2021 at 01:52:42PM -0600, Peter Saint-Andre wrote: > > So the sooner we can get rid of wildcard certificates entirely, the > > better. They've outlived their usefulness. > > Jeff Hodges and I had hoped to push for deprecating wildcard certs when > working on RFC 6125 10+ years ag

Re: [Uta] Wildcards

2021-07-08 Thread Ryan Sleevi
On Thu, Jul 8, 2021 at 5:47 PM Viktor Dukhovni wrote: > Can "the industry" (CAs, software vendors, ...) unite behind getting the > users to accept the right, but arguably less convenient, tradeoff? No. I think deprecating wildcards would be a bad outcome for users and for server operators. Whi

Re: [Uta] Wildcards

2021-07-08 Thread John Levine
It appears that Viktor Dukhovni said: >That said, it'be really super if various applications profiles decided >to do away with wildcard certificates entirely. Their $$$ cost >advantage is long gone, and otherwise they just damage security by >enabling cross application protocol attacks, ... Som