From 82ee686fa39a4fc10b6bca05aca0aa3d6ca5afd3 Mon Sep 17 00:00:00 2001 From: Rob Stradling Date: Tue, 17 Feb 2015 15:40:35 +0000 Subject: [PATCH] Reveal the number of redacted labels; Change (PRIVATE) to ? Ticket #60. --- rfc6962-bis.xml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/rfc6962-bis.xml b/rfc6962-bis.xml index e27e4e4..2e37148 100644 --- a/rfc6962-bis.xml +++ b/rfc6962-bis.xml @@ -444,12 +444,14 @@ Validation Certificates.
- When creating a Precertificate, the CA MAY substitute one or more of -the complete leftmost labels in each DNS-ID with the literal string -(PRIVATE). For example, if a certificate contains a + When creating a Precertificate, the CA MAY substitute one or more +labels in each DNS-ID with a corresponding number of +? labels. Every label to the left of a +? label MUST also be a +? label. For example, if a certificate contains a DNS-ID of top.secret.example.com, then the corresponding Precertificate could contain -(PRIVATE).example.com instead. Labels in a +?.?.example.com instead. Labels in a CN-ID MUST remain unredacted. @@ -1396,8 +1398,8 @@ corrective action when a misissue is detected.
CAs SHOULD NOT redact domain name labels in Precertificates such that the entirety of the domain space below the unredacted part of the domain name is not owned or controlled by a single entity -(e.g. (PRIVATE).com and -(PRIVATE).co.uk would both be problematic). Logs +(e.g. ?.com and +?.co.uk would both be problematic). Logs MUST NOT reject any Precertificate that is overly redacted but which is otherwise considered compliant. It is expected that monitors will treat overly redacted Precertificates as potentially misissued. TLS clients MAY reject a