On Fri, 2010-10-08 at 02:45 +0200, Martin Rex wrote: > btw. "f*.com" is an rfc-2818 example that _my_ implementation of rfc-2818 > matching unconditionally ignores when found in CN-ID or DNS-ID of a > server cert--I require at least 3 labels when a wildcard is used. > Should server-id-check promote "*.com" matching? (I think it should not).
The document does not "promote" the interpretation of "*.com" as a wildcard, it just declines to make a special case to forbid it. In any case, I don't see anything wrong with allowing such matching at the server-id-check level. CAs are responsible for not giving an entity a certificate that matches names the entity does not own. -- Matt _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
