Re: [TLS] RFC 2818 wildcard rationale
Chris Richardson <chris@randomnonce.org> Fri, 04 May 2012 04:22 UTC
Return-Path: <chris@randomnonce.org>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2449121F86BE for <tls@ietfa.amsl.com>; Thu, 3 May 2012 21:22:03 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 2.867
X-Spam-Level: **
X-Spam-Status: No, score=2.867 tagged_above=-999 required=5 tests=[AWL=-5.844, BAYES_00=-2.599, FM_FORGED_GMAIL=0.622, MANGLED_OFF=2.3, RCVD_IN_DNSWL_LOW=-1, SARE_SPOOF_COM2COM=2.536, SARE_SPOOF_COM2OTH=2.536, SPOOF_COM2COM=2.272, SPOOF_COM2OTH=2.044]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id KAQJzSATT80W for <tls@ietfa.amsl.com>; Thu, 3 May 2012 21:22:01 -0700 (PDT)
Received: from mail-ob0-f172.google.com (mail-ob0-f172.google.com [209.85.214.172]) by ietfa.amsl.com (Postfix) with ESMTP id 515CD21F8566 for <tls@ietf.org>; Thu, 3 May 2012 21:22:01 -0700 (PDT)
Received: by obbeh20 with SMTP id eh20so4032242obb.31 for <tls@ietf.org>; Thu, 03 May 2012 21:22:01 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20120113; h=mime-version:x-originating-ip:in-reply-to:references:date :message-id:subject:from:to:content-type:x-gm-message-state; bh=oRKNEY2sBZhjJ6aN65KW8uOXYAmbevIYwHXvoKt8j1w=; b=KHLxxotYNBnHkNhqI4DQKrBydajELBFCA7mL6p5l1R1xafrc+nchCipsUXIz7JX86O KJVYC0R8kc5VUXDZYgTBMY9/ObiYYarG5HpcOGWM1vnNLWS/HxPaQb7By5aWWzFX0jdP HKvxEx6m6FAJvKuggvexHxHKTbcBJSiNGAXGP4Btplzw40IIvy9vl66vxmWc8Yz6WvOx 6RfnDGeEEK339EIAq1rbCbKobjfkNTu2au9kCRFZofq0ks9TKt7MJRWRcUJImW+/9FZo 95tDgUPjv7JYjMtafBjP4/gBaS9VI187fSrYfleW2guYgaUgWYJ+xK/2l2XdVpSmsjMC g3TA==
MIME-Version: 1.0
Received: by 10.60.22.234 with SMTP id h10mr3779353oef.54.1336105320977; Thu, 03 May 2012 21:22:00 -0700 (PDT)
Received: by 10.182.69.138 with HTTP; Thu, 3 May 2012 21:22:00 -0700 (PDT)
X-Originating-IP: [203.47.135.74]
In-Reply-To: <op.wdmo8rtcqrq7tp@acorna.invalid.invalid>
References: <CADKevbAKS7DQ19XYXhyN6JSLAR2C155Mp0hqTXiMHreFueOg4A@mail.gmail.com> <op.wdmo8rtcqrq7tp@acorna.invalid.invalid>
Date: Fri, 04 May 2012 14:22:00 +1000
Message-ID: <CADKevbD61SfUg8mv86hfVbn90ARCX0Cw7RrLBSPekfvDMK5enw@mail.gmail.com>
From: Chris Richardson <chris@randomnonce.org>
To: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>, "tls@ietf.org List" <tls@ietf.org>
Content-Type: text/plain; charset="ISO-8859-1"
X-Gm-Message-State: ALoCoQlGcu567gGKaPg9YL5jLftmUgoIhOCVdQJkGD/dyoOOOBLpeiqQcjOddWQ22NlZTdV8fdEZ
Subject: Re: [TLS] RFC 2818 wildcard rationale
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 04 May 2012 04:22:03 -0000
> Regarding #1, if * matched multiple labels, it would match > www.yourbank.com.whatever.example.com, which would be a very bad thing since > it can mislead users into thinking that they are visiting > "www.yourbank.com". Are there any circumstances under which an (individual/organization) is authorized to have a certificate for *.example.com, but is not authorized to have a certificate for www.yourbank.com.whatever.example.com? > Regarding #2, I don't think that would introduce any real badness, except > having to edit the rulestring, which make already complex logic more > complex, and more likely to fail an unsecure manner (there is also the fact > that you can have "f*.example.com", which should not allow #2 to be > generated, causing more complexity). However, adding a separate rule for > "example.com" in the SAN field is very simple. If both (1) and (2) were allowed, that would eliminate the need for wildcards which should simplify the logic. And out of curiousity, are there any real examples of f*.example.com certificates? Are there any circumstances under which that is a good idea?
- [TLS] RFC 2818 wildcard rationale Chris Richardson
- Re: [TLS] RFC 2818 wildcard rationale Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] RFC 2818 wildcard rationale Peter Saint-Andre
- Re: [TLS] RFC 2818 wildcard rationale Chris Richardson
- Re: [TLS] RFC 2818 wildcard rationale Martin Rex