On 07/17/2017 09:27 AM, Fraser Tweedale wrote:


     This document states that the wildcard character '*' SHOULD NOT
     be included in presented identifiers but MAY be checked by
     application clients (mainly for the sake of backward
     compatibility with deployed infrastructure).

Furthermore, note that wildcards in dNSName values (SAN), although
supported by most clients, are technically a violation of RFC 5280.
The deprecation (and now, actual removal in clients) of CN-based
validation poses another challenge in this regard.

Some years ago it seemed impossible that CN-based hostname
validation, despite being officialy deprecated in RFC 2818 and the
deprecation affirmed by RFC 6125, would ever happen.  But it has
happened.  The thing is... "all the clients still support it"...
until they don't anymore!
Okay, I'm aware of the reasoning, and the implications of having wildcards in the SAN, but I'm still not seeing like a drop/removal deadline date for this. We handle several hundred certs for our clients, some of which are wildcards, and it would be nice to know when this will become a serious issue long before it bites us in the butt.

(Yeah, I know it's a ginormously stupid question, but I typically don't muck with wildcard certs, so this isn't something I have had to deal with.)

Mark Haney
Network Engineer at NeoNova
919-460-3330 option 1
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to