Opened 7 years ago

Closed 7 years ago

#56 closed defect (fixed)

"*" domain labels MUST NOT be redacted

Reported by: rob.stradling@… Owned by: rob.stradling@…
Priority: major Milestone:
Component: rfc6962-bis Version:
Severity: - Keywords:
Cc:

Description

I can't think of any legitimate reason to redact a "*" label.

We should disallow redaction of "*" labels, so that a bad actor cannot attempt to hide their use of "*" labels in a disallowed context (e.g. EV certs).

6962-bis needs to state this as a CA requirement.

Change History (3)

comment:1 Changed 7 years ago by rob.stradling@…

The current text of 6962-bis says:
'When creating a Precertificate, the CA MAY substitute one or more of the complete leftmost labels in each DNS-ID with the literal string "(PRIVATE)".'

On the mailing list we considered relaxing the "complete" and/or "leftmost" requirements, but everyone seems to agree that both of these requirements should remain.

Peter Bowen suggests that...
'...if the left most label is exactly "*", then it is considered redacted for the purposes of determining if the label to the right may be redacted. That would allow *.?.?.example.com to be an allowable redaction.'

(Note: Peter's example assumes that we will change the redaction label from "(PRIVATE)" to "?", as proposed in ticket #54).

comment:2 Changed 7 years ago by rob.stradling@…

  • Owner changed from draft-ietf-trans-rfc6962-bis@… to rob.stradling@…
  • Status changed from new to assigned

comment:3 Changed 7 years ago by rob.stradling@…

  • Resolution set to fixed
  • Status changed from assigned to closed
Note: See TracTickets for help on using tickets.