On Tue, Apr 01, 2014 at 07:07:10PM -0700, Howard Chu wrote:
> Viktor Dukhovni wrote:
> >I can contribute a patch, that addresses many of the issues. Things
> >that I'm not immediately planning to address are:
> >
> > - Separate flag for wildcards in CN vs. wildcards in SAN dnsName.
> > (LDAP case in RFC 6125).
>
> Just to add context - the LDAP RFCs always specified wildcards in SAN only,
> not in the CN. But most commercial CAs seem to have made a practice of
> issuing wildcard certs using * in the CN, not in a dnsName SAN. For a long
> time we rejected wildcard CN certs in OpenLDAP but finally started accepting
> them after multiple users' requests. It's a slippery slope, don't expect to
> get it right.
Thanks, good to know. So is there in your view a real need for
separate wildcard flags in SAN vs. CN? It never made much sense
to me, and if LDAP implementations are now giving in to CA practice,
I am inclined to do what makes more sense, more than I am inclined
to support an oddity of the LDAP wildcard matching specifications.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
