On 10/11/10 2:31 PM, Martin Rex wrote: > Peter Saint-Andre wrote: >> >>> >>> I did issue server certs for wildcard substring matching when I >>> implemented rfc-2818, though -- and I consider it likely that other >>> implementors did this as well. >> >> That's nice, but not directly relevant to the current discussion because >> the I-D that Jeff and I have worked on does not override, supersede, or >> obsolete RFC 2818 or any other prior art about matching rules for >> application server identity. > > I strongly disagree. the -09 wording: > > The client MUST fail to match a presented identifier > in which the wildcard character is contained within a label fragment > (e.g., baz*.example.net is not allowed and MUST NOT be taken to match > baz1.example.net and baz2.example.net) > > attempts to invalidate rfc-2818 through the use of "MUST NOT".
The next version (-10) will make it abundantly clear that this I-D does not (and does not intend to) override, supersede, update, or obsolete the rules for verifying server identity provided in specifications for existing application protocols. On this point, Jeff and I have added an applicability statement to our working copy, which we hope to release in the next day or two once we've checked it against all the issues that were raised during IETF Last Call. Peter -- Peter Saint-Andre https://stpeter.im/ _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
