[TLS] RFC 2818 wildcard rationale
Chris Richardson <chris@randomnonce.org> Tue, 01 May 2012 11:46 UTC
Return-Path: <chris@randomnonce.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 0B67921F85AE for <tls@ietfa.amsl.com>; Tue, 1 May 2012 04:46:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.977
X-Spam-Level:
X-Spam-Status: No, score=-2.977 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, RCVD_IN_DNSWL_LOW=-1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id DWJ1Qi3+7vtO for <tls@ietfa.amsl.com>; Tue, 1 May 2012 04:45:59 -0700 (PDT)
Received: from mail-ob0-f172.google.com (mail-ob0-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id 76B4C21F8599 for <tls@ietf.org>; Tue, 1 May 2012 04:45:59 -0700 (PDT)
Received: by obbeh20 with SMTP id eh20so2404655obb.31 for <tls@ietf.org>; Tue, 01 May 2012 04:45:58 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:date:message-id:subject:from:to :content-type:x-gm-message-state; bh=z9Uzv3ahyZHMfWFyldFUP75ck9AODAe5f87BZup2Jos=; b=k/V3OVKFvq17g4dote+ddsE6IN9JAF1ibrqU1J4VYcAcKscXtJxuVOUecDpIPA1DMi bruUeu2ilHspJ2Hk0YAlr32fENLeBczqJlbNXsJk+JEP0yc5h2sDFhA6IXyzJK6q25Ek wRaTmggYB9qef2lhy6p0UFQx96jO2RGD3q7obDrvyssDJQhnGOIG2uNa3k0cLRL1u5lx BHEBa/272iqRuZjr+km3Ow3Hl1DHnWY5hyDrH7E7aLJQaFXJpVeLffivfPUzMBEcnLvc JLWM3HNlrkoPaMUx6MdzYYAGbwEosiixFyWrhn7KPNI+IaxDtIbqrsH4OGW21K9tygMX 7eiw==
MIME-Version: 1.0
Received: by 10.182.172.100 with SMTP id bb4mr9260755obc.22.1335872758806; Tue, 01 May 2012 04:45:58 -0700 (PDT)
Received: by 10.182.69.138 with HTTP; Tue, 1 May 2012 04:45:58 -0700 (PDT)
X-Originating-IP: [203.47.135.74]
Date: Tue, 01 May 2012 21:45:58 +1000
Message-ID: <CADKevbAKS7DQ19XYXhyN6JSLAR2C155Mp0hqTXiMHreFueOg4A@mail.gmail.com>
From: Chris Richardson <chris@randomnonce.org>
To: "tls@ietf.org List" <tls@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQlwAIo0sFaQ1W+4DcQ3U6l7s5XetShDpVOy0yhy9bdNIaJ/HzU8Hr/AY7mZaOkJW5qQakvF
Subject: [TLS] RFC 2818 wildcard rationale
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 May 2012 11:46:00 -0000
RFC 2818 states: Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. I was trying to figure out the rationale behind this, but have been unable to do so. I was hoping someone could enlighten me. Suppose that: (1): *.example.com matched a.b.example.com (2): *.example.com matched example.com. What security problems exist with (1) and/or (2) that are solved by following the rules of 2818? Anything more than preventing a single * from matching the entire internet? -- Chris
- [TLS] RFC 2818 wildcard rationale Chris Richardson
- Re: [TLS] RFC 2818 wildcard rationale Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] RFC 2818 wildcard rationale Peter Saint-Andre
- Re: [TLS] RFC 2818 wildcard rationale Chris Richardson
- Re: [TLS] RFC 2818 wildcard rationale Martin Rex