> Perhaps the best method would actually be to match only "*." at the > beginning of the CN for now, and see if people complain? I would much > like someone who knows more about what would be reasonable to speak up > here, but it seems we don't have anybody here who knows...
I would encourage you to adopt a solution where * matches only a single pathname component. This seems to be the intention of both RFC2818 and RFC2595. It is also the behavior of IE7; FF2 seems to deviate from the spec. http://www.hanselman.com/blog/SomeTroubleWithWildcardSSLCertificatesFireFoxAndRFC2818.aspx There are several other advantages of this approach that seem worth mentioning: 1. If you make it match a single pathname component now, and later decide that you were wrong and change your mind, it is guaranteed not to break any working installations. The reverse is not true. 2. I can't see any possible way that matching a single component could create security holes that would be eliminated by matching multiple components, but I'm more skeptical about the other direction. What about the old DNS hack where you create a DNS record for example.com.sample.com and hijack connections intended for example.com made by people whose default DNS suffix is sample.com? There may be reason to believe this isn't a problem, but matching less seems like it can't possibly be a bad thing. 3. It would be truly bizarre if www*.example.com matched www17.some.stuff.in.the.middle.example.com. (That having been said, I wouldn't worry about wildcards intended to match part of a component too much. I suspect that it's an extremely rare case, and we can always add support later if there is demand for it. Not worrying about this now will help keep the code simple and free of bugs, always good in a security-critical context.) ...Robert -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers