[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Patch] Non-permissive subjectAltName wildcard
|
From: |
Nikos Mavrogiannopoulos |
|
Subject: |
Re: [Patch] Non-permissive subjectAltName wildcard |
|
Date: |
Sun, 04 May 2008 16:48:40 +0300 |
|
User-agent: |
Thunderbird 2.0.0.12 (X11/20080227) |
Andreas Metzler wrote:
> Hello,
>
> this http://bugs.debian.org/479174 reported by Jean-Philippe Garcia
> Ballester:
>
> On 2008-05-03 Jean-Philippe Garcia Ballester <address@hidden> wrote:
>> It seems too me that the subjectAltName wildcard matching has strong
>> constraints.
>
>> First, it allows only one wildcard. Since a wildcard can only match
>> a single domain component, multiple wildcards are useful (e.g.,
>> *.*.example.org). I did not see in the rfc 2818 such restriction.
Thank you for the patch. I need some clarifications before including it
though. Having such as permissive wildcard is quite dangerous. Why would
one specify *.*.example.org instead of the much simpler *.example.org?
>> Second, it only allows the wildcard to be at the beginning of the
>> hostname. Since the rfc 2818 gives “f*.com” as an example, I
>> believe this is a false assert.
f*.com is not a good example :) I don't think that such a wildcard
certificate has a real world usage, and if any CA signs it would be at
error. Of course this applies to *.com as well...
Probably your point is for wildcards such as test*.gnutls.org?
>> Third, it only allows the wildcard to be followed by a ‘.’. This is
>> not clearly stated in the rfc, but I believe it is reasonnable to
>> assume that if “f*.com” is allowed, then “f*o.com” should be allowed
>> as well.
What is your use case that does not work by the current simple wildcard?
regards,
Nikos