On 08/13/2014 08:27 AM, Erwann Abalea wrote in part: > the question isn't "should we tolerate it?", but "what do the sacred > scriptures ask compliant implementation to do?"
What sacred scriptures are we talking about here? I'm not an expert, so correct me if I'm wrong, but I thought RFC stood for "Request for Comments" not «Demand for Kadavergehorsamkeit» In the world I live in, yes, there are some people who care only about scriptural exegesis. Meanwhile, there are some other people who care about doing what makes sense, doing what best serves the interests of the user community. In any case, it is hard to find any reading of rfc5280 that disallows /.foo.com/ as a pattern. Adding stuff to the left of /.foo.bar/ should count as adding stuff to the left. So AFAICT we are not discussing the spiritual purity of the existing openssl-1.0.1i code; as the famous anecdote says, we are just haggling over the price. http://quoteinvestigator.com/2012/03/07/haggling/ If anybody wants my comments on this Request-for-Comments: a) We need both wildcard /and/ non-wildcard forms, so that users can express what they want. b) If taken too literally, the text of rfc5280 does not allow sufficient expressive power. c) AFAICT /.foo.com/ works OK as a wildcard. Similarly, /foo.com/ works fine as a non-wildcard. Significant parts of the user community assume this is how things already work. My spiritual advisor says that sometimes it is OK to amend the RFC. > This one is a root, so this extension shouldn't be taken into > account. This clearly written in RFC5280 section 4.2.1.10, Maybe I'm missing something, but that's not entirely clear. As I read it, name constraints should not be applied /when checking the validity of the self-signature/ but that does not mean that root CAs are completely forbidden from having name constraints. The constraints are applied to /everything else/ signed by that CA. ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager majord...@openssl.org