Nelson Bolyard wrote: > Now, there is a request asking that NSS's code for matching the > application's desired host names to the names in the cert adopt the more > restricting IETF standards, and the NSS team wholeheartedly agrees.
What is the rationale for the request? Does it increase security in some way? Or enable CAs to sell more certs? ;-) > It is proposed that we change NSS to accept only wildcards that meet > these rules: > - exactly one star (*) and no more. > - star matches any numbers of characters EXCEPT DOT. > - There can be no dots to the left of the star, and a dot must > immediately follow the star. > - There must be at least two dots after (to the right of) the star, > and each dot must be followed by one or more non-dot characters. > - There may be characters OTHER THAN DOTS to the left of the one star. Are there CAs who are issuing (or have issued in the past year or two) certificates which do not meet these rules? > Also note that Microsoft Internet Explorer (MSIE) already disallows many > of the wildcard patterns that we propose to disallow in NSS. Many? Or all? > If the proposed change will cause you grief, please let the NSS team > know by posting a message to this news group or mailing list, or by > adding a comment in bugzilla bug 159483, or by sending email to me > (you must demangle my email address) SOON. (This week, please.) Do you think it is worth asking this question more widely? Gerv _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
