On Sun 2008-05-04 09:48:40 -0400, Nikos Mavrogiannopoulos wrote: > Thank you for the patch. I need some clarifications before including > it though. Having such as permissive wildcard is quite > dangerous. Why would one specify *.*.example.org instead of the much > simpler *.example.org?
foo.example.org matches the latter, but not the former. If you wanted
to allow a server to match any four (or more?) segment domain ending
in example.org, but *not* any three-segment domain, you might prefer
the former.
> f*.com is not a good example :) I don't think that such a wildcard
> certificate has a real world usage, and if any CA signs it would be at
> error. Of course this applies to *.com as well...
>
> Probably your point is for wildcards such as test*.gnutls.org?
I agree with Nikos, this is a much better example!
>>> Third, it only allows the wildcard to be followed by a ‘.’. This is
>>> not clearly stated in the rfc, but I believe it is reasonnable to
>>> assume that if “f*.com” is allowed, then “f*o.com” should be allowed
>>> as well.
>
> What is your use case that does not work by the current simple wildcard?
One example that might be useful would be:
*dev.example.org
(by analogy with your test*.gnutls.org)
--dkg
pgp8r8kPIfQPE.pgp
Description: PGP signature
