Opened 7 years ago

Closed 7 years ago

#60 closed defect (fixed)

The number of redacted labels should be revealed in the Precertificate

Reported by: rob.stradling@… Owned by: rob.stradling@…
Priority: major Milestone: review
Component: rfc6962-bis Version:
Severity: - Keywords:
Cc: pzbowen@…

Description

The current -bis draft says:

'When creating a Precertificate, the CA MAY substitute one or more of

the complete leftmost labels in each DNS-ID with the literal string
"(PRIVATE)".'

In a recent thread on the list there was clear support for the idea of requiring a separate token for each redacted label, instead of permitting one token to cover several redacted labels.

Also, it would be nice to use a token that is shorter than "(PRIVATE)". Steve Kent has asked that we consult some DNS experts before we make a final decision on what the token will be. I'll kick off some discussion on that and report back to this ticket. For now, my proposal is "?".

Quick comparison of how to redact 2 labels from "a.b.example.com":

Current -bis draft: (PRIVATE).example.com
This proposal: ?.?.example.com

Change History (7)

comment:1 Changed 7 years ago by rob.stradling@…

  • Owner changed from draft-ietf-trans-rfc6962-bis@… to rob.stradling@…

comment:2 Changed 7 years ago by rob.stradling@…

  • Type changed from enhancement to defect

comment:3 Changed 7 years ago by rob.stradling@…

  • Status changed from new to assigned

comment:4 Changed 7 years ago by pzbowen@…

  • Cc pzbowen@… added

comment:5 Changed 7 years ago by rob.stradling@…

Committed as...
https://github.com/google/certificate-transparency-rfcs/commit/82ee686fa39a4fc10b6bca05aca0aa3d6ca5afd3

Leaving this ticket open whilst we consult some DNS experts on "?".

comment:6 Changed 7 years ago by benl@…

  • Milestone set to review

comment:7 Changed 7 years ago by melinda.shore@…

  • Resolution set to fixed
  • Status changed from assigned to closed
Note: See TracTickets for help on using tickets.