On Mon, Mar 17, 2014 at 11:34:07PM +0100, Martin Rex wrote:
> 2. If the wildcard character is the only character of the left-most
> label in the presented identifier, the client SHOULD NOT compare
> against anything but the left-most label of the reference
> identifier (e.g., *.example.com would match foo.example.com but
> not bar.foo.example.com or example.com).
I am aware of this SHOULD NOT. The question is whether this is
the right behaviour for opportunistic DANE TLS. There is no user
to "click OK", and if Postini-style wildcard certs are likely to
be employed or need to be employed, then perhaps the right choice
for SMTP is to tolerate multi-label wildcards.
I am not insisting one way or the other, just wondering whether
there is consensus. Fortunately, there is a UTA draft on name
checks for SMTP, and its authors have invited me to pitch in.
Their draft defines wildcards to match a single label, and this
question is perhaps best dealt with on the UTA list (where I may
again run into Martin and the rest of our fine DANE crew, but it
seems to be a more natural forum for what is I think more of an
application question).
So most likely SMTP name checks will not specifically endorse
multi-label wildcards, but if it is OK with this group, I'd like
to move this specific issue to that forum.
--
Viktor.
_______________________________________________
dane mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dane
