On Tue, Apr 29, 2025 at 02:25:52PM +0000, [email protected] wrote:
> The document will point to rfc9525#section-7.1 for a discussion of the
> wildcard risks.
>
> > Even if wildcards are supported, they should at least be
> > discouraged.
>
> The proposed text adheres to the restrictions set in rfc9525. Is there
> any reason tacacs+ has to deviate from the guards/restrictions in
> rfc9525#section-6.3?
Section 6.3 is neither a suggestion nor a requirement to support
wildcards in application protocols. Some of the risks are covered
in
https://www.rfc-editor.org/rfc/rfc9525#section-7.1
and it has long been understood (see the obsoleted RFC6125) that
wildcards are best avoided in protocols that that don't have a large
installed base of legacy wildcard certs:
Notwithstanding the foregoing security considerations, specifications
that reuse this one can legitimately encourage continued support for
the wildcard character if they have good reasons to do so, such as
backward compatibility with deployed infrastructure (see, for
example, [EV-CERTS]).
--
Viktor.
_______________________________________________
OPSAWG mailing list -- [email protected]
To unsubscribe send an email to [email protected]
