On 6/27/22 1:08 PM, Viktor Dukhovni wrote:
On Mon, Jun 27, 2022 at 12:52:00PM -0600, Peter Saint-Andre wrote:
Yep, we can punt the definition but then we need to address all the special
cases.
I would prefer to bring back the reference to RFC 1034.
A DNS FQDN is sequence of dot-separated labels each of whose wire forms
is at most 63 octets, and where the total wire length including the
final zero length byte (terminating empty root label) is at most 255
bytes. Due to potential characters that need escaping, the presentation
form of such a name can contain labels whose length exceeds 63 bytes,
and whole name can exceed 255 bytes.
It is not clear to me that DNS names in certificates are a priori
constrained by the host requirements RFC which constrains hostnames to
LDH label forms, although perhaps the scope of RFC6125bis is exclusively
for certificates that identify end-entities that meet the host
requirements RFC.
I'm not necessarily saying that - I'm saying only that Jeff and I tried
to find a canonical definition of "fully-qualified domain name" and the
best we could do was RFC 1034. Alternative proposals are welcome.
I'm not sure what you mean by "non-public DNS names". As for .local
addresses, I'm not sure who would issue certificates for those. However,
if you can obtain certificates for either of these name-types, then I
don't see why the same rules wouldn't apply.
A private CA trusted by the relying party can indeed issue certificates
for "example.local", ...
Of course. I was thinking about public CAs.
Peter
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
