IETF Logo Mail Archive

Re: [pkix] Please clarify when and where wildcards should be matched in PKIX certificates

"Mehner, Carl" <Carl.Mehner@usaa.com> Fri, 05 June 2015 15:04 UTC

Return-Path: <prvs=0598c87ef0=carl.mehner@usaa.com>
X-Original-To: pkix@ietfa.amsl.com
Delivered-To: pkix@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A56011B30A9 for <pkix@ietfa.amsl.com>; Fri, 5 Jun 2015 08:04:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -7.011
X-Spam-Level:
X-Spam-Status: No, score=-7.011 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_RP_MATCHES_RCVD=-0.01] autolearn=ham
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id lkA9BjZ9CVCv for <pkix@ietfa.amsl.com>; Fri, 5 Jun 2015 08:04:06 -0700 (PDT)
Received: from prodomx02.usaa.com (prodomx02.usaa.com [167.24.25.92]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 805D21B30A4 for <pkix@ietf.org>; Fri, 5 Jun 2015 08:04:05 -0700 (PDT)
Received: from pps.filterd (prodomx02.usaa.com [127.0.0.1]) by prodomx02.usaa.com (8.14.7/8.14.7) with SMTP id t55F3hcZ002585; Fri, 5 Jun 2015 10:04:04 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=usaa.com; h=from : to : cc : subject : date : message-id : references : in-reply-to : content-type : content-transfer-encoding : mime-version; s=201408; bh=RZ5XaNuaAHZiZSx27+swEdngJjmYxV9fUxIJjfxRIvo=; b=R1d42ZVeCmzINHZo1n8FxpzCRw93YZ74Mo/C+xYzc32BAqRyRMU7CD9E+NyHkWR1qCwL 3rJiISI6yFP0N+/1NWvo82m7/SFbIApbrYXFBNvJm0TQ9exbbg5rbqj/Hcrj8L4+0WHp KF95FHFtuTzIMZyNtqX3moFTC3hixy2ppQNt82t1Zm4iyYdlnOPlfWAsIRkCfFWe05kc k0FNay7xy+c0xAK9NmB8QjDHl9cPFV7AaqRcs3UH/rzRlhwfx/ePv729PBD/Rd7AnngR 0xc1LxiKW5BAZ9BzZsLqqeA9uF3pyJCXZQY/07gDUaXibVdte8qGrvFJgAIy8OnwLX6Y Tw==
Received: from prodexch04w.eagle.usaa.com (prodexch04w.eagle.usaa.com [10.170.40.30]) by prodomx02.usaa.com with ESMTP id 1ut58men36-1; Fri, 05 Jun 2015 10:04:03 -0500
Received: from PRODEXMB01W.eagle.usaa.com ([169.254.1.224]) by PRODEXCH04W.eagle.usaa.com ([10.170.40.30]) with mapi id 14.03.0210.002; Fri, 5 Jun 2015 10:04:03 -0500
From: "Mehner, Carl" <Carl.Mehner@usaa.com>
To: Tom Ritter <tom@ritter.vg>, Jeffrey Walton <noloader@gmail.com>
Thread-Topic: [pkix] Please clarify when and where wildcards should be matched in PKIX certificates
Thread-Index: AQHQn6Dc8IVQrVxRNUK3+mzgsZvl6w==
Date: Fri, 05 Jun 2015 15:04:03 +0000
Message-ID: <19075EB00EA7FE49AFF87E5818D673D41156DCA6@PRODEXMB01W.eagle.usaa.com>
References: <CAH8yC8=_PypmYYW_0XPUS0xFB6vP4N1=RTmzCjdwVnR-05H=hw@mail.gmail.com> <CAH8yC8kLgbXYZb_-AY3er5EagG5XmUDaQhL7ynRwd+GL2anJeQ@mail.gmail.com> <CAH=tA5tT4VwWQUCcQ+E9BR1+ZVnHHS4HkwGZ3zJT736wZvQk8g@mail.gmail.com> <CAH8yC8mQ8t5Fd7s+yyeL2XoEkXieULN74d23aWX=wqQoqCxagw@mail.gmail.com> <CA+cU71=RwPrnktLHTXgF-L3GpZX7QQL4mL+Q=ijsweENotkVxw@mail.gmail.com>
In-Reply-To: <CA+cU71=RwPrnktLHTXgF-L3GpZX7QQL4mL+Q=ijsweENotkVxw@mail.gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-originating-ip: [10.122.15.114]
x-c2processedorg: b8bcc573-fb52-4e08-924e-ca559c360d81
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Proofpoint-Direction: FromExch
X-Proofpoint-Direction: Internet
X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.14.151, 1.0.33, 0.0.0000 definitions=2015-06-05_13:2015-06-05,2015-06-05,1970-01-01 signatures=0
Archived-At: <http://mailarchive.ietf.org/arch/msg/pkix/s66woNptZ7nmvv4VfBtDy2qmNys>
Cc: PKIX <pkix@ietf.org>, Tomoyuki Sahara <sahara@surt.net>
Subject: Re: [pkix] Please clarify when and where wildcards should be matched in PKIX certificates
X-BeenThere: pkix@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: PKIX Working Group <pkix.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/pkix>, <mailto:pkix-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/pkix/>
List-Post: <mailto:pkix@ietf.org>
List-Help: <mailto:pkix-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/pkix>, <mailto:pkix-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 05 Jun 2015 15:04:08 -0000

> No vanity TLD has come to Mozilla or Chrome or Microsoft and said
> "Hey, we want to do *.vanity, but it doesn't work!"[0]  Just as
> dotless vanity domains (http://vanity) aren't going to work[1], we can
> say that TLD wildcards aren't going to work.
> 
> -tom
> 
> [0] Right?
Actually, Google has, and it does work (for some domains). However, Firefox broke on any host secured by a cert with a DNSNames that included "*.google" in the SAN.
https://bugzilla.mozilla.org/show_bug.cgi?id=1169149

Another relevant discussion here:
https://bugzilla.mozilla.org/show_bug.cgi?id=1128673

> [1] Right? That's decided, no?
Right, ICANN has forbidden A records at the top level

v2.23.0 | Report a Bug | By Email