On Sat, Jul 05, 2014 at 12:17:13AM +0200, Kurt Roeckx wrote:
> On Fri, Jul 04, 2014 at 10:50:47PM +0200, [email protected] via RT wrote:
> > Updated text for the patch based on Viktor's reply to JW and JB on the list.
> >
> > The updated text includes the a statement that its not possible to
> > determine which named matched (this may be added in the future); and
> > the two-label rule could make an application vulnerable to attacks on
> > ccTLDs like "*.co.uk" (the two-label rule stops attacks on gTLDs like
> > "*.com").
>
> Should it mention publicsuffix.org? Or should we use that list?
No and no. That responsibility lies with the issuing CA. The two
label heuristic is not intended to be a robust generic-wildcard
detection mechanism. The resposibility for correct issuance of
wildcard certificates is on the CA. I will update the API to return
the matched name from the certificate (via an additional char **
argument).
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
