Robert Haas wrote: >> Perhaps the best method would actually be to match only "*." at the >> beginning of the CN for now, and see if people complain? I would much >> like someone who knows more about what would be reasonable to speak up >> here, but it seems we don't have anybody here who knows... > > I would encourage you to adopt a solution where * matches only a > single pathname component. This seems to be the intention of both > RFC2818 and RFC2595. It is also the behavior of IE7; FF2 seems to > deviate from the spec. > > http://www.hanselman.com/blog/SomeTroubleWithWildcardSSLCertificatesFireFoxAndRFC2818.aspx
If you look at the wiki page mentioned upthread, http://wiki.cacert.org/wiki/WildcardCertificates, you will see that it seems like *all* products other than IE are converging on the non-IE behavior. Which would be an argument for implementing that method. > There are several other advantages of this approach that seem worth > mentioning: > > 1. If you make it match a single pathname component now, and later > decide that you were wrong and change your mind, it is guaranteed not > to break any working installations. The reverse is not true. True. > 2. I can't see any possible way that matching a single component could > create security holes that would be eliminated by matching multiple > components, but I'm more skeptical about the other direction. What > about the old DNS hack where you create a DNS record for > example.com.sample.com and hijack connections intended for example.com > made by people whose default DNS suffix is sample.com? There may be > reason to believe this isn't a problem, but matching less seems like > it can't possibly be a bad thing. Right, but that's all about being careful not to give out certs like "*.postgres.*". > 3. It would be truly bizarre if www*.example.com matched > www17.some.stuff.in.the.middle.example.com. (That having been said, I > wouldn't worry about wildcards intended to match part of a component > too much. I suspect that it's an extremely rare case, and we can > always add support later if there is demand for it. Not worrying > about this now will help keep the code simple and free of bugs, always > good in a security-critical context.) Yeah. I think I agree with the idea that we should match wildcards only at the beginning of the name *for now*, and then see what people actually request :-) I'm less sure about the single-pathname-component part, but the argument around backwards compatible is certainly a very valid one.. //Magnus -- Sent via pgsql-hackers mailing list (pgsql-hackers@postgresql.org) To make changes to your subscription: http://www.postgresql.org/mailpref/pgsql-hackers