On Tue, Aug 08, 2017 at 05:30:18PM +0300, Ilari Liusvaara wrote: > On Tue, Aug 08, 2017 at 08:58:03AM -0400, Daniel Margolis wrote:
Also, reading the specification, there looks to be some issues with the use of PKIX: 1) CN-IDs have long been deprecated. RFC 6125 is pretty clear that: - If SAN contains any recoginized identifier type (which here does include DNS-ID), then CN-ID MUST be ignored. So union is just wrong. - CN-ID is for backward compatiblity only, which does not apply here, since the specification is new -> CN-ID is not to be used at all. 2) Does mx pattern '.example.net' match host 'example.net'? The text is not explicitly say if it does or does not (the example code in appendix does not seem to consider those two to match). 3) The wildcards in PKIX are not recursive. Thus, certificate with only SAN '*.example.net' can not match 'foo.bar.example.net'. Yet, tracing the code in appendix, it appears that the code considers this to match. -Ilari _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
