Eddy Nigg (StartCom Ltd.) wrote: > For internal networks, internally assigned domain names should be used, > like NETWORK = intern.domain.com
Thinking further about this whole stuff: I consider the hostname checking to be a very important validation of whether the browser really connects to a host to which the user really wanted to connect to. The user cannot distinguish whether the hostname in https://com is a fully-qualified domain name or not. If DNS resolving with automagic suffix search is conducted then some disambiguation has to be made. So I'd recommend either one of these two solutions: 1. If the user enters https://hostname (hostname without dots) then the DNS resolver should in case of SSL/TLS connects not apply any DNS suffix search list when resolving hostname. 2. If the user enters https://hostname (hostname without dots) and DNS suffix search is conducted the fully-qualified domain name used to connect to the host must be displayed to the user and must be verified to be in the cert. I'd prefer 1. For both solutions only fully-qualified domain names are needed in the certs. Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
