On 2017-11-01 11:59, Daniel Margolis wrote:
> The decision to use policy-to-SAN matching instead of policy-to-hostname
> matching was discussed here
> (https://www.ietf.org/mail-archive/web/uta/current/msg01938.html). I
> think the WG was at the time largely in consensus (or we misread the
> consensus). I thought we also discussed this at IETF95, but at this
> point my memory is hazy.
>
> To be clear, I think you are right that this affects a small number of
> users. RFC 7672 also allows this "nexthop" matching, but I think it's OK
> for STS to enforce a "must match the hostname" policy. On the flip side,
> I believe SAN matching is also fairly easy to implement (~10 lines of
> pseudocode in the Appendix--hopefully correct!--and Viktor says OpenSSL
> already exposes such a function).
>
> My understanding is that while you and Jim would prefer hostname
> matching and Viktor (and others?) would prefer SAN matching, nobody has
> said that if their non-preferred option is chosen this is a blocker for
> implementation. Am I right?
>
> If that's correct, process-wise, should we treat this as resolved
> previously (in draft 03), or should we try to revisit the consensus and
> close it out quickly?
I have to agree. Given that few people are speaking up in explicit
support for this change, existing consensus hold.
Cheers Leif
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
