On Saturday 14 May 2005 20:29, Nelson B wrote: > Gervase Markham wrote: > > * is easy - you just display the root. So *.mozilla.org would display > > "mozilla.org". > > > > Are there any other options other than * and |? Which standard covers > > such things? > > The original specification for DNSname regular expressions may be seen > at http://wp.netscape.com/eng/security/ssl_2.0_certificate.html#CA . > Scroll up to the section named "Subject Common Name" immediately > preceeding the section to which that link takes you. The regular > expression grammar defined there is a superset of that in RFC 2818. > mozilla (FF) implements that specification, having inherited that > implementation from its predecessor. > > RFC 2818 (which is informational, NOT a proposed standard, but which reads > like a proposed standard) in section 3.1 only allows * (not |) and that is > all IE supports.
So for us users, we should stick to using * as we still have to deal with the majority of the world using IE. (Duane, does that make sense to you?) I'm guessing that IE isn't likely to implement | anytime soon. (This and your other email explaining the list of names would make a great FAQ entry.) > BTW, I believe FF's present behavior of showing the user-selected DNSname, > given that it matches one of the cert's DNSnames, is the correct behavior. This reads as if you believe the status bar should only show names that it has matched from the certificate. The exceptional case that started this thread is that FF shows a URL-derived hostname in the status bar, one which is not in the cert. This occurs when the user clicks-thru the popup warning dialog that indicates that the cert failed the test. What's your call on what the status bar should show then? * show nothing? * show some cert name (being different to the URL)? * show something from the URL (different to the cert)? > However, I have seen cases where the name shown in the status bar and in > related security dialogs did NOT match the name in the requested URL. > There are bugs filed about this. Ah, this sounds similar. If I get a chance I'll search for those bugs. iang -- http://iang.org/ _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
