Viktor Dukhovni wrote: > On Fri, Mar 14, 2014 at 09:01:48PM -0400, James Cloos wrote: > >>> The folks at Postini have a wildcard cert for "*.psmtp.com" and >>> clients publish MX records of the form: >>> >>> verisign.com. IN MX 100 verisign.com.s6a1.psmtp.com. >>> verisign.com. IN MX 200 verisign.com.s6a2.psmtp.com. >>> verisign.com. IN MX 300 verisign.com.s6b1.psmtp.com. >>> verisign.com. IN MX 400 verisign.com.s6b2.psmtp.com. >> >> For some historical context, mozilla's original wildcarded ssl implement- >> ation also allowed an *. to match any number of labels. >> >> Several sites were broken by the change to limit a wildcard to a single >> label. > > I take it you're suggesting to not perpetuate Postini's abuse of > wildcard certs? Implementations might choose to be more liberal, > but servers can't expect multi-label wildcard support. Right?
See: http://tools.ietf.org/html/rfc6125#section-6.4.3 6.4.3. Checking of Wildcard Certificates A client employing this specification's rules MAY match the reference identifier against a presented identifier whose DNS domain name portion contains the wildcard character '*' as part or all of a label (following the description of labels and domain names in [DNS-CONCEPTS]). For information regarding the security characteristics of wildcard certificates, see Section 7.2. If a client matches the reference identifier against a presented identifier whose DNS domain name portion contains the wildcard character '*', the following rules apply: 1. The client SHOULD NOT attempt to match a presented identifier in which the wildcard character comprises a label other than the left-most label (e.g., do not match bar.*.example.net). 2. If the wildcard character is the only character of the left-most label in the presented identifier, the client SHOULD NOT compare against anything but the left-most label of the reference identifier (e.g., *.example.com would match foo.example.com but not bar.foo.example.com or example.com). 3. The client MAY match a presented identifier in which the wildcard character is not the only character of the label (e.g., baz*.example.net and *baz.example.net and b*z.example.net would be taken to match baz1.example.net and foobaz.example.net and buzz.example.net, respectively). However, the client SHOULD NOT attempt to match a presented identifier where the wildcard character is embedded within an A-label or U-label [IDNA-DEFS] of an internationalized domain name [IDNA-PROTO]. -Martin _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
