[{"author": "Valery Smyslov", "text": "

I can watch zulip/chat

", "time": "2022-07-27T17:31:23Z"}, {"author": "Valery Smyslov", "text": "

Thanks Ben!

", "time": "2022-07-27T17:31:50Z"}, {"author": "Alexey Melnikov", "text": "

I would like this done, but I am not convinced that doing it in the same document is a good idea.

", "time": "2022-07-27T17:37:30Z"}, {"author": "Valery Smyslov", "text": "

@Alexey: do you want to relay this to the room?

", "time": "2022-07-27T17:39:07Z"}, {"author": "Alexey Melnikov", "text": "

Sure

", "time": "2022-07-27T17:39:22Z"}, {"author": "Erik Nygren", "text": "

Name constraints are defined for IP addresses

", "time": "2022-07-27T17:44:47Z"}, {"author": "Erik Nygren", "text": "

(just looked yesterday)

", "time": "2022-07-27T17:44:53Z"}, {"author": "Alexey Melnikov", "text": "

I will review the PR and can either say \u201cit is fine as a patch\u201d or will propose a separate draft

", "time": "2022-07-27T17:46:02Z"}, {"author": "Martin Thomson", "text": "

@Alexey Melnikov thanks

", "time": "2022-07-27T17:46:36Z"}, {"author": "Martin Thomson", "text": "

@Erik Nygren oh dear, I don't think that we support those... I'll have to check now

", "time": "2022-07-27T17:46:53Z"}, {"author": "Martin Thomson", "text": "

Of course name constraints are really out of scope for this work.

", "time": "2022-07-27T17:47:21Z"}, {"author": "Erik Nygren", "text": "

it does them as doubling up the octet strings: one with the prefix, the other with a bitmask.

", "time": "2022-07-27T17:47:48Z"}, {"author": "Corey Bonnell", "text": "

and the bitmask encodes the CIDR prefix in a terribly bloated fashion

", "time": "2022-07-27T17:48:37Z"}, {"author": "Erik Nygren", "text": "

I think CAA could also really benefit from being defined for IP addresses.

", "time": "2022-07-27T17:48:53Z"}, {"author": "Erik Nygren", "text": "

yeah, it uses a netmask rather than a prefix length. (which really makes me wonder what happens if it is sparse0

", "time": "2022-07-27T17:50:11Z"}, {"author": "Corey Bonnell", "text": "

Erik Nygren said:

\n
\n

yeah, it uses a netmask rather than a prefix length. (which really makes me wonder what happens if it is sparse0

\n
\n

https://github.com/mozilla/pkipolicy/issues/216

", "time": "2022-07-27T17:52:31Z"}, {"author": "Steffen Fries", "text": "

that is not true

", "time": "2022-07-27T18:02:22Z"}, {"author": "Martin Thomson", "text": "

@Steffen Fries try typing the answer here :)

", "time": "2022-07-27T18:02:32Z"}, {"author": "Steffen Fries", "text": "

we can diskcuss on the list

", "time": "2022-07-27T18:02:33Z"}, {"author": "Martin Thomson", "text": "

It sounds like the suggestion I made might work, but it would require some application-level changes to have it work properly.

", "time": "2022-07-27T18:03:07Z"}, {"author": "Leif Johansson", "text": "

you might try a page reload

", "time": "2022-07-27T18:03:08Z"}, {"author": "Martin Thomson", "text": "

\"have you turned it off and on again\"

", "time": "2022-07-27T18:04:33Z"}, {"author": "Steffen Fries", "text": "

One of the reasons to recheck a certificate was that for expired certificates or revoked certificates shall not be used to open a TLS session. This requirement was taken over for long lived connections. With renegotiation this could be checked in ongoing connections. In TLS 1.3 it requires the application to do this verification.

", "time": "2022-07-27T18:06:03Z"}, {"author": "Steffen Fries", "text": "

as renegotiation cannot be used to trigger this. This in turn requires the application to store the certificate

", "time": "2022-07-27T18:07:13Z"}, {"author": "Martin Thomson", "text": "

Is this syslog thing on github?

", "time": "2022-07-27T18:08:02Z"}, {"author": "Steffen Fries", "text": "

i would review too

", "time": "2022-07-27T18:08:29Z"}, {"author": "Alexey Melnikov", "text": "

I read the draft and it looked fine to me.

", "time": "2022-07-27T18:08:39Z"}, {"author": "Alexey Melnikov", "text": "

So yes, WGLC it

", "time": "2022-07-27T18:08:57Z"}, {"author": "Martin Thomson", "text": "

@Steffen Fries Steffen, I assume that the application is always required to do some of the checking, is that right?

", "time": "2022-07-27T18:09:07Z"}, {"author": "Valery Smyslov", "text": "

@Martin: The draft is adopted, it's UTA WG doc

", "time": "2022-07-27T18:09:16Z"}, {"author": "Steffen Fries", "text": "

yes, true, the diffference is that it now has to store the certificate to recheck it

", "time": "2022-07-27T18:09:40Z"}, {"author": "Valery Smyslov", "text": "

I don't know if it is on github

", "time": "2022-07-27T18:09:46Z"}, {"author": "Martin Thomson", "text": "

@Valery Smyslov I was just lookingto make a very minor tweak, best provided as a pull request. Maybe @Sean Turner or @Joseph Salowey can point me in that direction.

", "time": "2022-07-27T18:10:34Z"}, {"author": "Erik Nygren", "text": "

Claiming all customer IP space with a wildcard certificate really sounds like asking for trouble...

", "time": "2022-07-27T18:12:04Z"}, {"author": "Andrei Popov", "text": "

Client volunteering a certificate suggestion should be discussed in the TLS WG, not UTA.

", "time": "2022-07-27T18:12:57Z"}, {"author": "Alexey Melnikov", "text": "

This reminds me of SIDR work. Maybe they already have a way of doing IP address prefixes

", "time": "2022-07-27T18:13:12Z"}, {"author": "Erik Nygren", "text": "

Being able to send IP addresses in SNI would make ADD DDR much cleaner, and I think we'll regret it if we don't. I'll hopefully upload a draft (aiming for the TLS WG) later today as soon as I figure out why the I-D tool isn't accepting my submission.

", "time": "2022-07-27T18:13:26Z"}]