On 03/19/2014 10:38 AM, Daniel Stenberg wrote: > On Tue, 18 Mar 2014, Ángel González wrote: > >> Daniel, how does cURL check correctness of the certificate hostname >> suffix? > > It insists on at least two dots. So yes, "*.apple" will cause problems > for us too.
There are also errors in the opposite direction: it sounds like curl
will accept a cert for *.co.uk, right?
> I view the public suffix list as one of the worst kludges in networking
> history and while I understand why it is necessary, it is next to
> impossible to actually use sensibly in lots of environments.
I agree that the PSL is a horrible kludge; i'm not sure what other
solutions are possible though, until the DNS gets some way to specify
public registries itself (e.g. the DBOUND discussion going on in the IETF).
In the meantime, we need to figure something out, though :/
--dkg
signature.asc
Description: OpenPGP digital signature
