IETF Logo Mail Archive

Re: [certid] open issue: wildcards in component fragments

Peter Saint-Andre <stpeter@stpeter.im> Thu, 07 October 2010 20:43 UTC

Return-Path: <stpeter@stpeter.im>
X-Original-To: certid@core3.amsl.com
Delivered-To: certid@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 477F73A7111 for <certid@core3.amsl.com>; Thu, 7 Oct 2010 13:43:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.555
X-Spam-Level:
X-Spam-Status: No, score=-102.555 tagged_above=-999 required=5 tests=[AWL=0.044, BAYES_00=-2.599, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Sx8c59m30nhE for <certid@core3.amsl.com>; Thu, 7 Oct 2010 13:43:16 -0700 (PDT)
Received: from stpeter.im (stpeter.im [207.210.219.233]) by core3.amsl.com (Postfix) with ESMTP id 112503A6EED for <certid@ietf.org>; Thu, 7 Oct 2010 13:43:16 -0700 (PDT)
Received: from dhcp-64-101-72-188.cisco.com (dhcp-64-101-72-188.cisco.com [64.101.72.188]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 9C2F1400EE; Thu, 7 Oct 2010 14:50:35 -0600 (MDT)
Message-ID: <4CAE3122.9080504@stpeter.im>
Date: Thu, 07 Oct 2010 14:44:18 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.5; en-US; rv:1.9.2.9) Gecko/20100915 Thunderbird/3.1.4
MIME-Version: 1.0
To: ArkanoiD <ark@eltex.net>
References: <4CACEEBC.8010109@stpeter.im> <20101007125754.GA11638@eltex.net>
In-Reply-To: <20101007125754.GA11638@eltex.net>
X-Enigmail-Version: 1.1.1
OpenPGP: url=http://www.saint-andre.com/me/stpeter.asc
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Cc: IETF cert-based identity <certid@ietf.org>
Subject: Re: [certid] open issue: wildcards in component fragments
X-BeenThere: certid@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: Representation and verification of identity in certificates <certid.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/certid>
List-Post: <mailto:certid@ietf.org>
List-Help: <mailto:certid-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/certid>, <mailto:certid-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 07 Oct 2010 20:43:17 -0000

On 10/7/10 6:57 AM, ArkanoiD wrote:
> Are there any such certificates "in the wild"? Do current clients
> support it? If there aren't any and it is not supported anyways,
> let's keep status quo and do not make things more complicated than
> needed. For www1, www2 etc one may use extra name component and
> that's all.

What do you mean by "the status quo" -- the text in version -09 of the
server-id-check I-D (no wildcard in component fragments, like foo*) or
the text in RFC 2818 and several other specs (*oo and f*o and foo* are
fine)?

As far as I can see, allowing wildcards in component fragments makes
things more complicated than needed because a CA needs to have more
complex rules for issuance and a TLS library or application client needs
to have a more complex parsing algorithm (checking for things like
*oo.example.com and foo*.example.com and f*o.example.com instead of just
*.example.com -- it's also not clear to me from RFC 2818 if multiple
instances of the wildcard character are allowed, such that
f*b*r.example.com would be acceptable). Allowing '*' only as the
complete left-most label seems easier to me (and I've received feedback
to that effect off-list, as well).

Peter

--
Peter Saint-Andre
https://stpeter.im/

v2.8.7 | Report a Bug | By Email