Matt McCutchen wrote: > > I have never seen a certificate with a wildcard that is not a > whole label on a public web site.
Btw. the use of TLS is not limited to the public internet. I don't think that know which _public_ website uses this is meaningless. The matching is implemented on the client anyway, not on the server. A much more interesting question would be, what exact kind of wildcard matching do popular TLS clients actually implement? - Microsoft SChannel on XP/2003, Vista/Win7 - Firefox 3.x - Google Chrome - Apple Safari (non-Windows) - Opera We started shipping SSL with our app in 2000/2001. Back then, I noticed that MSIE 5.0x implemented (full-label) wildcard matching (i.e. WinNT 4 and Win9x/ME), but SChannel in Windows 2000 and therefore MSIE 5.0x on Windows 2000 did _NOT_ implement wildcard matching. For internal testing, I've been using server certs with wildcard CN-IDs since 2000, but not being aware of the wildcards substring matching described in rfc2818 back then, I never tried that myself. I did issue server certs for wildcard substring matching when I implemented rfc-2818, though -- and I consider it likely that other implementors did this as well. -Martin _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
