[161081] in North American Network Operators' Group
Re: looking for terminology recommendations concerning non-rooted
daemon@ATHENA.MIT.EDU (Brian Reichert)
Mon Feb 25 13:05:27 2013
Date: Mon, 25 Feb 2013 12:49:41 -0500
From: Brian Reichert <reichert@numachi.com>
To: Jay Ashworth <jra@baylink.com>
In-Reply-To: <24025524.7172.1361812680297.JavaMail.root@benjamin.baylink.com>
Cc: NANOG <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, Feb 25, 2013 at 12:18:00PM -0500, Jay Ashworth wrote:
> If I understood Brian correctly, his problem is that people/programs
> are trying to retrieve things from, eg:
>
> https://my.host.name./this/is/a/path
>
> and the SSL library fails the certificate match if the cert doesn't contain
> the absolute domain name as an altName -- because *the browser* (or whatever)
> does not normalize before calling the library.
I'd argue that if you have an absolute domain name, then that _is_
the 'normalized' form of the domain name; it's an unambigious
representation of the domain name. (Here, I'm treating the string
as a serialized data structure.)
Choosing to remove the notion of "this is rooted", and then asking
any (all?) other layers to handle the introduced ambiguity sounds
like setting yourself up for the issues that RFC 1535 was drawing
attention to.
> Cheers,
> -- jra
> --
> Jay R. Ashworth Baylink jra@baylink.com
> Designer The Things I Think RFC 2100
> Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII
> St Petersburg FL USA #natog +1 727 647 1274
--
Brian Reichert <reichert@numachi.com>
BSD admin/developer at large
