On 10/7/10 6:57 AM, ArkanoiD wrote: > Are there any such certificates "in the wild"? Do current clients > support it? If there aren't any and it is not supported anyways, > let's keep status quo and do not make things more complicated than > needed. For www1, www2 etc one may use extra name component and > that's all.
What do you mean by "the status quo" -- the text in version -09 of the server-id-check I-D (no wildcard in component fragments, like foo*) or the text in RFC 2818 and several other specs (*oo and f*o and foo* are fine)? As far as I can see, allowing wildcards in component fragments makes things more complicated than needed because a CA needs to have more complex rules for issuance and a TLS library or application client needs to have a more complex parsing algorithm (checking for things like *oo.example.com and foo*.example.com and f*o.example.com instead of just *.example.com -- it's also not clear to me from RFC 2818 if multiple instances of the wildcard character are allowed, such that f*b*r.example.com would be acceptable). Allowing '*' only as the complete left-most label seems easier to me (and I've received feedback to that effect off-list, as well). Peter -- Peter Saint-Andre https://stpeter.im/ _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
