On Tue, Apr 01, 2014 at 07:07:10PM -0700, Howard Chu wrote: > Viktor Dukhovni wrote: > >I can contribute a patch, that addresses many of the issues. Things > >that I'm not immediately planning to address are: > > > > - Separate flag for wildcards in CN vs. wildcards in SAN dnsName. > > (LDAP case in RFC 6125). > > Just to add context - the LDAP RFCs always specified wildcards in SAN only, > not in the CN. But most commercial CAs seem to have made a practice of > issuing wildcard certs using * in the CN, not in a dnsName SAN. For a long > time we rejected wildcard CN certs in OpenLDAP but finally started accepting > them after multiple users' requests. It's a slippery slope, don't expect to > get it right.
Thanks, good to know. So is there in your view a real need for separate wildcard flags in SAN vs. CN? It never made much sense to me, and if LDAP implementations are now giving in to CA practice, I am inclined to do what makes more sense, more than I am inclined to support an oddity of the LDAP wildcard matching specifications. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org