> Note that the implementation in master (some day 1.1.0) already rejects
> *.com, what it fails to reject is *.co.uk
Yes, I understand; my example was wrong, sorry.
> I think the onus is on the trusted CA ( that wants to remain trusted) to not
> issue such certificates.
And mistake-free?
> I am far from sure the callback is worth the trouble.
It's all about trade-offs. I could imagine a callback being generally useful.
/r$
--
Principal Security Engineer
Akamai Technology
Cambridge, MA
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [email protected]
Automated List Manager [email protected]
