David Harrington wrote: > > If the locally configured name is an internationalized domain name, > > conforming implementations MUST convert it to the ASCII Compatible > > Encoding (ACE) format as specified in Section 7 of RFC 5280. > > Do we need to be clear about when (i.e. for what usages) this > translation needs to be done? Is this necessary before string > comparisons, for example?
Could perhaps add "before comparing it with the certificate"? > > The '*' (ASCII 42) wildcard character is allowed in the dNSName of > > the subjectAltName extension (and in common name, if used to store > > the host name), and then only as the left-most (least significant) > > DNS label in that value. This wildcard matches any left-most DNS > > label in the server name. That is, the subject *.example.com > > matches the server names a.example.com and b.example.com, but does > > not match example.com or a.b.example.com. Implementations MUST > > support wildcards in certificates as specified above, but MAY > > provide a configuration option to disable them. > > shouldn't we make the ability to disable wildcards a MUST-implement, > so we can be sure the strong-security option will be available if an > operator wants to disable them for security reasons? That would seem > to be consistent with BCP61. Hmm... IMHO wildcards in certificates are compatible with strong security -- they're just convenient shorthand for multiple names. Disabling wildcards basically makes sense if the operator doesn't trust the CA to issue certificates properly (and IMHO in this case, you have worse problems), so I don't think anything stronger than MAY is needed here. Best regards, Pasi _______________________________________________ Syslog mailing list [email protected] https://www.ietf.org/mailman/listinfo/syslog
