Tonight, I spent a few hours implementing RFC5952: https://github.com/colmmacc/s2n/commit/4e7d2424b059b1350353fbb95c251d5ff024535e … ... because it turns out that there's no portable way to be sure that IPv6 strings will be in a canonical format. How is that not fixed in 2019? Crazy! Exact-match is needed in many applications.
-
-
Also, a single callback means an IP will be validated if it's in a DNS SAN. That has finally been eradicated from the WebPKI, and it would be a shame to see it facilitated in private PKIs, as it puts pressure on other validators to also be lax, when the trend is to be stricter.
- 2 more replies
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.