[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Patch] Non-permissive subjectAltName wildcard
|
From: |
Daniel Kahn Gillmor |
|
Subject: |
Re: [Patch] Non-permissive subjectAltName wildcard |
|
Date: |
Sun, 04 May 2008 18:43:14 -0400 |
|
User-agent: |
Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux) |
On Sun 2008-05-04 09:48:40 -0400, Nikos Mavrogiannopoulos wrote:
> Thank you for the patch. I need some clarifications before including
> it though. Having such as permissive wildcard is quite
> dangerous. Why would one specify *.*.example.org instead of the much
> simpler *.example.org?
foo.example.org matches the latter, but not the former. If you wanted
to allow a server to match any four (or more?) segment domain ending
in example.org, but *not* any three-segment domain, you might prefer
the former.
> f*.com is not a good example :) I don't think that such a wildcard
> certificate has a real world usage, and if any CA signs it would be at
> error. Of course this applies to *.com as well...
>
> Probably your point is for wildcards such as test*.gnutls.org?
I agree with Nikos, this is a much better example!
>>> Third, it only allows the wildcard to be followed by a ‘.’. This is
>>> not clearly stated in the rfc, but I believe it is reasonnable to
>>> assume that if “f*.com” is allowed, then “f*o.com” should be allowed
>>> as well.
>
> What is your use case that does not work by the current simple wildcard?
One example that might be useful would be:
*dev.example.org
(by analogy with your test*.gnutls.org)
--dkg
pgpGDelbTTWqj.pgp
Description: PGP signature