On Mon, Feb 25, 2013 at 12:18:00PM -0500, Jay Ashworth wrote:
> If I understood Brian correctly, his problem is that people/programs
> are trying to retrieve things from, eg:
> 
> https://my.host.name./this/is/a/path
> 
> and the SSL library fails the certificate match if the cert doesn't contain
> the absolute domain name as an altName -- because *the browser* (or whatever)
> does not normalize before calling the library.

I'd argue that if you have an absolute domain name, then that _is_
the 'normalized' form of the domain name; it's an unambigious
representation of the domain name. (Here, I'm treating the string
as a serialized data structure.)

Choosing to remove the notion of "this is rooted", and then asking
any (all?) other layers to handle the introduced ambiguity sounds
like setting yourself up for the issues that RFC 1535 was drawing
attention to.

> Cheers,
> -- jra
> -- 
> Jay R. Ashworth                  Baylink                       
> j...@baylink.com
> Designer                     The Things I Think                       RFC 2100
> Ashworth & Associates     http://baylink.pitas.com         2000 Land Rover DII
> St Petersburg FL USA               #natog                      +1 727 647 1274

-- 
Brian Reichert                          <reich...@numachi.com>
BSD admin/developer at large    

Reply via email to