On 07/22/2014 09:52 AM, Jason Uh wrote:
Hi Max,
Could you please review this fix?
http://cr.openjdk.java.net/~juh/8007706/webrev.00/
With the fix, the rules will be:
1. A DNSName must begin with a letter or a digit
2. After the first character, valid characters in DNSName components are
letters, digits, hyphens, and underscores
The underscore bit violates the requirements of RFC 5280. Perhaps the
RFC is wrong, but I think more justification is needed. The part which
accepts leading digits is fine.
Technically, there is a difference between domain names (sequences of
dotted case-insensitive label blobs) and host names (labels must consist
of letters and digits and hyphens, and start with a letter or digit).
RFC 5280 says "domain name", but the references make it clear that "host
names" are meant instead. It's not even clear if IA5String can encode
backslashes, which would be needed to cover the entire range of valid
domain names.
--
Florian Weimer / Red Hat Product Security
