[Patch] Non-permissive subjectAltName wildcard

Daniel Kahn Gillmor dkg-debian.org at fifthhorseman.net
Mon May 5 00:43:14 CEST 2008

On Sun 2008-05-04 09:48:40 -0400, Nikos Mavrogiannopoulos wrote:

> Thank you for the patch. I need some clarifications before including
> it though. Having such as permissive wildcard is quite
> dangerous. Why would one specify *.*.example.org instead of the much
> simpler *.example.org?

foo.example.org matches the latter, but not the former.  If you wanted
to allow a server to match any four (or more?) segment domain ending
in example.org, but *not* any three-segment domain, you might prefer
the former.

> f*.com is not a good example :) I don't think that such a wildcard
> certificate has a real world usage, and if any CA signs it would be at
> error. Of course this applies to *.com as well...
> Probably your point is for wildcards such as test*.gnutls.org?

I agree with Nikos, this is a much better example!

>>> Third, it only allows the wildcard to be followed by a ‘.’. This is
>>> not clearly stated in the rfc, but I believe it is reasonnable to
>>> assume that if “f*.com” is allowed, then “f*o.com” should be allowed
>>> as well.
> What is your use case that does not work by the current simple wildcard?

One example that might be useful would be:


(by analogy with your test*.gnutls.org)

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: </pipermail/attachments/20080504/ce0ee1ac/attachment.pgp>

More information about the Gnutls-devel mailing list