On Mon, Jul 12, 2021 at 4:20 PM Brian Smith <br...@briansmith.org> wrote: > If we get to the part of validation where RFC 6125 is relevant then we > already know the wildcard dNSName subjectAltName entry is valid. Given that, > RFC 6125 just needs to specify how to match, syntactically, a wildcard > against a reference identifier. (I think this is compatible with what Ryan > Sleevi wrote in this thread.)
Right, I think we agree that 6125bis doesn't need to tackle that, but it does sound like we disagree why. It seems you're in favor of the "fail fail" scenario, which happens before reaching 6125bis processing, and is rejected for all names asserted. I was arguing for a "fail if used" scenario, where it's only checked after 6125bis comparisons have happened, and which certificate remains valid for the other names it asserts. _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta
