On Wed, Oct 23, 2019 at 04:52:57PM -0400, Ben Schwartz wrote: > On Wed, Oct 23, 2019 at 1:11 PM Ilari Liusvaara > > > > Perhaps a simpler way would be to have a flag that causes the first > > label to be overwritten with '*'. That would be set on nodes covered > > by a wildcard certificate. > > This is a reasonable simplification. It would also work nicely > without the hashing, for servers that only have reasonably-sized names > but can't make promises about wildcards. However, it does still > suffer from the configuration brittleness described by David Benjamin > in #186.
I think all mechanisms that transmit only a single hash need to know if some node is covered by exact name or a wildcard. And wildcard expansion is at worst 63 bytes, due to DNS limitations, so transmitting full first label and 32 octet hash of rest would take 96 octets (if one can assume host character set, that could be fit into 80 octets with some encoding). Then if one had two hashes, one could fit those to 64 bytes (or 48 if one truncated the hashes to 192 bits, as scope of uniqueness is just a single server). This would not depend on knowing if node is wildcard or not. -Ilari _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls
