Hostname 與 Username 的保留名稱問題

在「Hostnames and usernames to reserve」這邊提到公開服務時的保留名稱問題。

首先是提到 hostname 的部分,被各協定使用到的都散落在各標準裡,另外就是利用前幾天提到的「Mozilla 維護的 Public Suffix List」加減擋 cookie...

比較感興趣的是 email 的部分的標準,這邊主要在討論 SSL certificate 的註冊。在「Baseline_Requirements_V1_3_1」的 Authorization by Domain Name Registrant 的第四項提到:

Communicating with the Domain’s administrator using an email address created by pre‐pending ‘admin’, ‘administrator’, ‘webmaster’, ‘hostmaster’, or ‘postmaster’ in the local part, followed by the at‐sign (“@”), followed by the Domain Name, which may be formed by pruning zero or more components from the requested FQDN;

也就是指出只能用上面提到的這幾個 mail address 來認證。不過為了安全起見,RFC 2412 定義的也應該擋下來。這兩組標準列出來的 username 都算是合理,沒什麼問題。

最後則是討論 path part,這點倒是有不少地雷可以看看,尤其是最新的 ACME 產生的問題 XDDD


在「Kudos - A Peer-to-Peer Discussion System Based on Social Voting」這邊看到分散式的論壇系統,帶有投票分數機制以及相關議題機制:

Decentralized Reddit using a DHT to store content and a blockchain to rank such content. Whitepaper with more details here:

論文裡面可以看出來設計的觀念受到 Bitcoin 的啟發,演算法也是... 換句話說,Bitcoin 帶來的影響遠遠超過金融市場,Bitcoin 所使用的理論也給其他領域很多想法。

如果這樣的系統可行的話 (還沒仔細研究 @_@),真正分散式的論壇系統就會出現了...

CNNIC 申請成為 CA/Browser Forum 成員

面對面的會議記錄,在第一天的會議記錄「2015-06-24 Face-to-Face Meeting 35 Minutes」的一開頭就看到 CNNIC 申請成為 CA/Browser Forum 的成員。


1. They don’t appear to be licensed in China (BRs requires that a CA be licensed in the country they do business if a licensing scheme is in place) and

第二個則是同時具有 CA 以及 ccTLD 註冊者的身份:

2. they appear to be a registrar for a TLD as well as a CA.

再來是第二天開頭就看到在討論 EV Wildcard 的問題 (目前是不被允許的),以及 Domain Validation 的問題。結尾則可以看到中華電信將會主辦 2017 的部份?不是很確定...

Host 2017

Chunghwa Telecom February or October (Taiwan)

CA/Browser Forum 討論網域認證與 CNNIC 的事情

兩個禮拜前 CA/Browser Forum 的會議記錄,討論了網域認證以及 CNNIC 的事情:「Minutes of CA-Browser Forum Meeting – 2 April 2015」。

由於 US-CERT 的關切,看起來「認證」這件事情 CA/Browser Forum 暫時不會有改善了:

The consensus was that US-CERT was incorrect in saying the email method of domain confirmation presents a vulnerability, that no changes were required, and that the Forum did not need to make any formal response to the US-CERT advisory.

另外是 CNNIC 的事情,也表達「甘我屁事」:

CNNIC sub-CA issue: The members discussed the recent CNNIC sub-CA issue, and noted that Google had recently published its response. Gerv stated that Mozilla was about to publish its response, which would be similar to the Google response. There was consensus that the Forum did not need to take any action.


關於 .onion SSL Certificate 的表決 (Tor Network)

關於 .onion 的 SSL Certificate,在 CAB Forum 這邊提出來表決了:「Ballot 144 – Validation rules for .onion names」。

有些時間限制與一般的 SSL Certificate 不太一樣:

CAs MUST NOT issue a Certificate that includes a Domain Name where .onion is in the right-most label of the Domain Name with a validity period longer than 15 months. Despite Section 9.2.1 of the Baseline Requirements deprecating the use of Internal Names, a CA MAY issue a Certificate containing an .onion name with an expiration date later than 1 November 2015 after (and only if) .onion is officially recognized by the IESG as a reserved TLD.


On or before May 1, 2015, each CA MUST revoke all Certificates issued with the Subject Alternative Name extension or Common Name field that includes a Domain Name where .onion is in the right-most label of the Domain Name unless the Certificate was issued in compliance with this Appendix F.