On Tue, Aug 08, 2017 at 05:30:18PM +0300, Ilari Liusvaara wrote:
> On Tue, Aug 08, 2017 at 08:58:03AM -0400, Daniel Margolis wrote:
Also, reading the specification, there looks to be some issues with
the use of PKIX:
1) CN-IDs have long been deprecated. RFC 6125 is pretty clear that:
- If SAN contains any recoginized identifier type (which here does
include DNS-ID), then CN-ID MUST be ignored. So union is just wrong.
- CN-ID is for backward compatiblity only, which does not apply here,
since the specification is new -> CN-ID is not to be used at all.
2) Does mx pattern '.example.net' match host 'example.net'? The text
is not explicitly say if it does or does not (the example code in
appendix does not seem to consider those two to match).
3) The wildcards in PKIX are not recursive. Thus, certificate with only
SAN '*.example.net' can not match 'foo.bar.example.net'. Yet, tracing
the code in appendix, it appears that the code considers this to match.
Uta mailing list