[Patch] Non-permissive subjectAltName wildcard
Daniel Kahn Gillmor
dkg-debian.org at fifthhorseman.net
Mon May 5 00:43:14 CEST 2008
On Sun 2008-05-04 09:48:40 -0400, Nikos Mavrogiannopoulos wrote:
> Thank you for the patch. I need some clarifications before including
> it though. Having such as permissive wildcard is quite
> dangerous. Why would one specify *.*.example.org instead of the much
> simpler *.example.org?
foo.example.org matches the latter, but not the former. If you wanted
to allow a server to match any four (or more?) segment domain ending
in example.org, but *not* any three-segment domain, you might prefer
the former.
> f*.com is not a good example :) I don't think that such a wildcard
> certificate has a real world usage, and if any CA signs it would be at
> error. Of course this applies to *.com as well...
>
> Probably your point is for wildcards such as test*.gnutls.org?
I agree with Nikos, this is a much better example!
>>> Third, it only allows the wildcard to be followed by a ‘.’. This is
>>> not clearly stated in the rfc, but I believe it is reasonnable to
>>> assume that if “f*.com” is allowed, then “f*o.com” should be allowed
>>> as well.
>
> What is your use case that does not work by the current simple wildcard?
One example that might be useful would be:
*dev.example.org
(by analogy with your test*.gnutls.org)
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
URL: </pipermail/attachments/20080504/ce0ee1ac/attachment.pgp>
More information about the Gnutls-devel
mailing list