Matt McCutchen wrote: > > On Thu, 2010-10-07 at 15:26 -0600, Peter Saint-Andre wrote: > > The intended status of this document is BCP = Best Current Practice. > > That "B" is in there for a reason. The question is: does allowing *oo > > and f*o and foo* (and maybe even f*b*r) as wildcard fragments truly > > represent a "best" current practice, or only "current" practice? It > > doesn't strike me as a most excellent, effective, desirable, suitable, > > appropriate, or useful practice, although I freely grant that it is in > > common and general use at the present time. > > I have never seen a certificate with a wildcard that is not a > whole label on a public web site.
The idea behind writing documents such as rfc-2818 is, that implementers don't have to do public opinion polls an apply heuristics, but instead follow the implementation guidelines in the document. It is pretty obvious that rfc-2818 meant to standardize substring wildcard matching with a single wildcard character in the leftmost dns label. What is _not_ clear, is whether rfc-2818 meant to also allow more than one wildcard character in a CN-ID or DNS-ID, wildcards in more than one DNS label or wildcards in other than the leftmost label. I believe that shipping a TLS client that matches a server cert with CN-ID or DNS-ID equal to "*.*.com" is neither reasonable nor responsible, and it I don't care whether a negilgent CA issued such a certificate on purpose or whether an attacker managed to get such a cert issued--there were two bugs published that made this possible: OID integer wraparound and embedded NUL chars in the Subject DName, and a significant part of the installed base does not check server certs for revocation (MSIE on XP/2003). (The folks on domains such as "*.co.uk" or "*.co.tw" are in a slightly more difficult position). -Martin _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
