Kyle Hamilton wrote:
We don't know exactly what rules they enforce. We know that they permit only a single '*', and do not permit any of the other forms of so-called regular expressions that are presently recognized by NSS. We don't know if they require any minimum number of dots to the right of the '*', or if they allow other things to the left of the star.So, here's a radical thought: why don't you propose a mechanism of certificate handling and submit it through the IETF, instead of making arbitrary changes to your own policy that are all but guaranteed to reduce the Mozilla user-base? Specifications are only useful to the point that they are useful -- there are many aspects of everything cryptography-related that aren't, including specifications of policy requirements in the base protocols ("the server MUST identify itself before it asks for client authentication" being a very pointed reference).
Hi Kyle, The original post started with: In recent years, IETF RFC standards have arisen that prescribe the wildcard patterns that are allowed for each application protocol (e.g. there is a standard for http, one for LDAP, etc.). None of the new standards permit any form of wildcarding except "*". Some permit only one "star" per name (e.g. *.xyz.com, but not *.*.xyz.com), while others explicitly allow it. NONE allow a star to match a dot, so that in no case would "*.xyz.com" be allowed to match "www.stw.xyz.com".The proposal to change is only because the IETF has created a standard and it differs from our existing one. The question we still have is how closely IE follows the standard (We already know it follows it more closely than we do). If a standard exists, and IE already follows it, the assumption is the actual instances of these broad based wild cards are likely to be small, and in any case is unlikely to have any effect on the user-base.
Nelson's email is checking to see if these assumptions are in fact true. bob
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto