Peter Eisentraut wrote: > On Friday 28 November 2008 17:13:54 Magnus Hagander wrote: >> Matching *only* as the first character will make it impossible to make >> certificates for "www*.domain.com", which is AFAIK fairly popular - and >> one of the examples you'll find on CA sites. But it would be fairly easy >> to add this restriction if people feel that's a better way. > > Are there actual technical or administrative or security arguments for or > against this? For example, what are the criteria one has to fulfill in order > to get such a certificate? Or is there a "defensive certification" security > line of reasoning? > > Now certificate issuing is a real business, so we need to play in that > context > as well, but I would like to dig a little deeper why things should be done in > a certain way. > > I am quite confortable, for example, with * matching subdomains, because if I > own example.com, then I can create any level of subdomain I want, without > making a real difference to user/client program. But then I don't really get > the point of having * inside of words -- would "www*.domain.com" also match > dots then?
Hmm. I can't seem to find that reference anymore. The only one of my "www*" references I can find ATM is GoDaddy which just has it as an exapmle of what "*.domain.com" would match :S Perhaps the best method would actually be to match only "*." at the beginning of the CN for now, and see if people complain? I would much like someone who knows more about what would be reasonable to speak up here, but it seems we don't have anybody here who knows... //Magnus -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers
