[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Patch] Non-permissive subjectAltName wildcard

From: Daniel Kahn Gillmor
Subject: Re: [Patch] Non-permissive subjectAltName wildcard
Date: Sun, 04 May 2008 18:43:14 -0400
User-agent: Gnus/5.11 (Gnus v5.11) Emacs/22.2 (gnu/linux)

On Sun 2008-05-04 09:48:40 -0400, Nikos Mavrogiannopoulos wrote:

> Thank you for the patch. I need some clarifications before including
> it though. Having such as permissive wildcard is quite
> dangerous. Why would one specify *.* instead of the much
> simpler * matches the latter, but not the former.  If you wanted
to allow a server to match any four (or more?) segment domain ending
in, but *not* any three-segment domain, you might prefer
the former.

> f*.com is not a good example :) I don't think that such a wildcard
> certificate has a real world usage, and if any CA signs it would be at
> error. Of course this applies to *.com as well...
> Probably your point is for wildcards such as test*

I agree with Nikos, this is a much better example!

>>> Third, it only allows the wildcard to be followed by a ‘.’. This is
>>> not clearly stated in the rfc, but I believe it is reasonnable to
>>> assume that if “f*.com” is allowed, then “f*” should be allowed
>>> as well.
> What is your use case that does not work by the current simple wildcard?

One example that might be useful would be:


(by analogy with your test*


Attachment: pgpGDelbTTWqj.pgp
Description: PGP signature

reply via email to

[Prev in Thread] Current Thread [Next in Thread]