On 2016-05-12 at 00:47 -0400, Viktor Dukhovni wrote: > > > > I suppose the "_.example.com" were actually intended to be > > "*.example.com", as I see no use of such underscores in rfc6125. > > The > > grammar should be amended accordingly. > > "*.example.com" would not be a good syntax to use, it is too easily > confused with the wildcard syntax on the server-certificate side. > This is a client-side wildcard that is semantically different. > > A better syntax would be ".example.com" to indicate any proper > sub-domain of example.com. No leading "*" or "_". >
As long as the optional part of rfc6125 is changed to compulsory, I see no problem. We would be using the same rules as certificates (actually a superset than what is implemented in webpki), and I don't think anyone would be misled by what the * really means (except perhaps for the can't-cross-dots rule). Much easier than underscores in fact. I see value in allowing a restricted wildcard of mx*.dyndns.com rather than *.dyndns.com Of course, some examples should be added so implementors don't forget about these cases (from which they would hopefully find their way into testsuites). Best _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
