[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Patch] Non-permissive subjectAltName wildcard

From: Nikos Mavrogiannopoulos
Subject: Re: [Patch] Non-permissive subjectAltName wildcard
Date: Sun, 04 May 2008 16:48:40 +0300
User-agent: Thunderbird (X11/20080227)

Andreas Metzler wrote:
> Hello,
> this reported by Jean-Philippe Garcia
> Ballester:
> On 2008-05-03 Jean-Philippe Garcia Ballester <address@hidden> wrote:
>> It seems too me that the subjectAltName wildcard matching has strong 
>> constraints.
>> First, it allows only one wildcard. Since a wildcard can only match
>> a single domain component, multiple wildcards are useful (e.g.,
>> *.* I did not see in the rfc 2818 such restriction.

Thank you for the patch. I need some clarifications before including it
though. Having such as permissive wildcard is quite dangerous. Why would
one specify *.* instead of the much simpler *

>> Second, it only allows the wildcard to be at the beginning of the
>> hostname.  Since the rfc 2818 gives “f*.com” as an example, I
>> believe this is a false assert.

f*.com is not a good example :) I don't think that such a wildcard
certificate has a real world usage, and if any CA signs it would be at
error. Of course this applies to *.com as well...

Probably your point is for wildcards such as test*

>> Third, it only allows the wildcard to be followed by a ‘.’. This is
>> not clearly stated in the rfc, but I believe it is reasonnable to
>> assume that if “f*.com” is allowed, then “f*” should be allowed
>> as well.

What is your use case that does not work by the current simple wildcard?


reply via email to

[Prev in Thread] Current Thread [Next in Thread]