On Mon, Jul 17, 2017 at 10:18:40AM -0400, Mark Haney wrote:
> On 07/17/2017 09:27 AM, Fraser Tweedale wrote:
> > 
> > https://tools.ietf.org/html/rfc6125#section-7.2
> > 
> >      This document states that the wildcard character '*' SHOULD NOT
> >      be included in presented identifiers but MAY be checked by
> >      application clients (mainly for the sake of backward
> >      compatibility with deployed infrastructure).
> > 
> > Furthermore, note that wildcards in dNSName values (SAN), although
> > supported by most clients, are technically a violation of RFC 5280.
> > The deprecation (and now, actual removal in clients) of CN-based
> > validation poses another challenge in this regard.
> > 
> > Some years ago it seemed impossible that CN-based hostname
> > validation, despite being officialy deprecated in RFC 2818 and the
> > deprecation affirmed by RFC 6125, would ever happen.  But it has
> > happened.  The thing is... "all the clients still support it"...
> > until they don't anymore!
> Okay, I'm aware of the reasoning, and the implications of having wildcards
> in the SAN, but I'm still not seeing like a drop/removal deadline date for
> this. We handle several hundred certs for our clients, some of which are
> wildcards, and it would be nice to know when this will become a serious
> issue long before it bites us in the butt.
> 
> (Yeah, I know it's a ginormously stupid question, but I typically don't muck
> with wildcard certs, so this isn't something I have had to deal with.)
> 
Noone knows "when".  Just like noone knew "when" re the CN
deprecation, until Google went ahead and did it with not much notice
(2 or 3 months).

But the context is: the public PKI had to put all naming info in
SANs for quite a while.  At the time Google became first mover to
disable CN validation, there was nil chance of any impact on the
public PKI.  This is certainly not the case for wildcards today, but
efforts like Let's Encrypt are likely reducing the incidence of
wildcard certs in the wild.  (OTOH, LE just announced wildcard cert
support, albeit with a somewhat restricted scope, so go figure).

Even though there seems to be no hurry, my advice is to encourage
and assist customers to begin moving away from wildcard certs, where
it is practical to do so.

Cheers,
Fraser

> 
> -- 
> Mark Haney
> Network Engineer at NeoNova
> 919-460-3330 option 1
> mark.ha...@neonova.net
> www.neonova.net
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to