On 03/30/2014 03:39 PM, Viktor Dukhovni wrote: > On Sun, Mar 30, 2014 at 11:20:51AM +0200, Steffen Ullrich via RT wrote:
>> - probably useful: while no RFC currently forbids something like *.com you >> have a check to disallow wildcards in the two rightmost suffixes. I think >> it makes sense to have that, although it is not sufficient (e.g. *.co.uk >> should also not be allowed). But doing this 100% correct will be tricky, >> because there is currently no definition of correct behavior in this area: >> While chrome disallows *.co.uk firefox allows it. > > Such a policy would be too complex for OpenSSL, and will be even > more complex to get right once all the new TLDs ICANN is blessing > us with come online. I think the current best approach to this is the "public suffix list", http://publicsuffix.org/ it's a horrible kludge (a fully-enumerated list of all zones that are known to allow registration of sub-zones to the public), but it's better than just counting labels. there are a few C libraries that could be used to make this abstraction available to OpenSSL (if building against external libraries is OK) without requiring much extra work in OpenSSL itself. --dkg
signature.asc
Description: OpenPGP digital signature
