----- Original Message ----- > From: "Brian Reichert" <reich...@numachi.com>
> On Mon, Feb 25, 2013 at 12:18:00PM -0500, Jay Ashworth wrote: > > If I understood Brian correctly, his problem is that people/programs > > are trying to retrieve things from, eg: > > > > https://my.host.name./this/is/a/path > > > > and the SSL library fails the certificate match if the cert doesn't contain > > the absolute domain name as an altName -- because *the browser* (or > > whatever) does not normalize before calling the library. > > I'd argue that if you have an absolute domain name, then that _is_ > the 'normalized' form of the domain name; it's an unambigious > representation of the domain name. (Here, I'm treating the string > as a serialized data structure.) I disagree, and happily, I can tell you exactly why. > Choosing to remove the notion of "this is rooted", and then asking > any (all?) other layers to handle the introduced ambiguity sounds > like setting yourself up for the issues that RFC 1535 was drawing > attention to. The interface we're talking about here is an application on a machine asking the SSL library "does the certificate which I have retrieved and handed to you for processing match this domain name?" *Since that certificate has [possibly] come from a different machine*, the context in which that evaluation must be done seems necessarily to be "over the wire/remote", and -- if you accept my earlier premise -- *it[1] is inherently absolute, no matter what it contains*. Since that context exists, you can then safely strip off the trailing dot inside the library before making said comparison. This is not the same circumstance as being presented with a shortname, where the actual IP connection/SSL retrieval was done based on the resolver applying a search path: in this case there's no obvious thing which the library could add, whereas it *is* obvious what you should strip (and, I allege, why) in the absolute-name-provided case. [1] The context of the evaluation, and by extension, the context of the string you're handing the SSL library to do the match. Cheers, -- jra -- Jay R. Ashworth Baylink j...@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274