Re: [TLS] RFC 2818 wildcard rationale
Peter Saint-Andre <stpeter@stpeter.im> Thu, 03 May 2012 22:04 UTC
Return-Path: <stpeter@stpeter.im>
X-Original-To: tls@ietfa.amsl.com
Delivered-To: tls@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 728C021F863D for <tls@ietfa.amsl.com>; Thu, 3 May 2012 15:04:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -97.904
X-Spam-Level:
X-Spam-Status: No, score=-97.904 tagged_above=-999 required=5 tests=[AWL=-4.693, BAYES_00=-2.599, SARE_SPOOF_COM2COM=2.536, SARE_SPOOF_COM2OTH=2.536, SPOOF_COM2COM=2.272, SPOOF_COM2OTH=2.044, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id T4gyz7A0aJNB for <tls@ietfa.amsl.com>; Thu, 3 May 2012 15:04:07 -0700 (PDT)
Received: from stpeter.im (mailhost.stpeter.im [207.210.219.225]) by ietfa.amsl.com (Postfix) with ESMTP id 7233921F8686 for <tls@ietf.org>; Thu, 3 May 2012 15:04:07 -0700 (PDT)
Received: from [64.101.72.115] (unknown [64.101.72.115]) (Authenticated sender: stpeter) by stpeter.im (Postfix) with ESMTPSA id 63FEC40058; Thu, 3 May 2012 16:19:09 -0600 (MDT)
Message-ID: <4FA300D6.5060709@stpeter.im>
Date: Thu, 03 May 2012 16:04:06 -0600
From: Peter Saint-Andre <stpeter@stpeter.im>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:12.0) Gecko/20120428 Thunderbird/12.0.1
MIME-Version: 1.0
To: "Yngve N. Pettersen (Developer Opera Software ASA)" <yngve@opera.com>
References: <CADKevbAKS7DQ19XYXhyN6JSLAR2C155Mp0hqTXiMHreFueOg4A@mail.gmail.com> <op.wdmo8rtcqrq7tp@acorna.invalid.invalid>
In-Reply-To: <op.wdmo8rtcqrq7tp@acorna.invalid.invalid>
X-Enigmail-Version: 1.4.1
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Cc: tls@ietf.org
Subject: Re: [TLS] RFC 2818 wildcard rationale
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 03 May 2012 22:04:08 -0000
On 5/1/12 6:06 AM, Yngve N. Pettersen (Developer Opera Software ASA) wrote: > On Tue, 01 May 2012 13:45:58 +0200, Chris Richardson > <chris@randomnonce.org> wrote: > >> RFC 2818 states: >> >> Names may contain the wildcard >> character * which is considered to match any single domain name >> component or component fragment. E.g., *.a.com matches foo.a.com but >> not bar.foo.a.com. >> >> I was trying to figure out the rationale behind this, but have been >> unable to do so. I was hoping someone could enlighten me. >> >> Suppose that: >> (1): *.example.com matched a.b.example.com >> (2): *.example.com matched example.com. >> >> What security problems exist with (1) and/or (2) that are solved by >> following the rules of 2818? Anything more than preventing a single * >> from matching the entire internet? > > Regarding #1, if * matched multiple labels, it would match > www.yourbank.com.whatever.example.com, which would be a very bad thing > since it can mislead users into thinking that they are visiting > "www.yourbank.com". True. But * matches only the left-most label, so a.b.example.com doesn't match *.example.com. Peter -- Peter Saint-Andre https://stpeter.im/
- [TLS] RFC 2818 wildcard rationale Chris Richardson
- Re: [TLS] RFC 2818 wildcard rationale Yngve N. Pettersen (Developer Opera Software ASA)
- Re: [TLS] RFC 2818 wildcard rationale Peter Saint-Andre
- Re: [TLS] RFC 2818 wildcard rationale Chris Richardson
- Re: [TLS] RFC 2818 wildcard rationale Martin Rex