From 2400f71681e78120974e17a2e625deab4f2707c6 Mon Sep 17 00:00:00 2001
From: backkem <mail@backkem.me>
Date: Sun, 1 Jun 2025 13:17:47 +0200
Subject: [PATCH] Add certificate serial number (sn) to mDNS TXT record
 requirements

This fixes a specification bug where the hostname formation requires the
certificate serial number, but it was not being advertised in mDNS TXT
records, making it impossible for clients to form the correct hostname
for TLS SNI.

Resolves the discrepancy between hostname formation requirements and
mDNS advertisement specifications.
---
 network.bs | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/network.bs b/network.bs
index 5274053..4845228 100644
--- a/network.bs
+++ b/network.bs
@@ -175,6 +175,11 @@ keys and values:
 :: An alphanumeric, unguessable token consisting of characters from the set
     `[A-Za-z0-9+/]`.
 
+: sn
+:: The [=certificate serial number=] of the advertising agent, encoded as a
+    base64 string according to [[!RFC4648]]. This is required for listening
+    agents to compute the [=agent hostname=] for TLS SNI.
+
 Note: `at` prevents off-LAN parties from attempting authentication; see
 [[#remote-active-mitigations]].  `at` should have at least 32 bits of true
 entropy to make brute force attacks impractical.
@@ -613,7 +618,7 @@ considered public:
 
 1. IP addresses and ports used by the Open Screen Network Protocol.
 1. Data advertised through mDNS, including the display name prefix, the
-    certificate fingerprint and serial number, and the metadata version.
+    certificate fingerprint, certificate serial number, and the metadata version.
 
 ### Cross Origin State Considerations ### {#cross-origin-state}