On 1/31/23 10:51 PM, Watson Ladd wrote:
How about this:
"The conversion from a U-label to an A-label MUST be done once and
used both to carry out the DNS lookup and the evaluation of the end
entity cert. Name constraints MUST be evaluated against the A-label
converted name.
This ensures that the same DNS entity as is actually connected to is
validated against the certificate even in the presence of bugs in the
conversion process".
Something along these lines seems reasonable.
I think the U-lable and A-label text would have to be tweeked to the
right form for a name containing those and one you can directly look
up.
It's not quite clear to me what you have in mind. Would you mind
spelling it out more fully?
Peter
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
