On Thu, Jul 08, 2021 at 02:12:51PM +0000, Salz, Rich wrote:
> A discussion started on the GitHub repo
> https://github.com/richsalz/draft-ietf-uta-rfc6125bis about what is
> allowed for the wildcard character, such as in DNS entries in
> subjectAltName. I am about to publish a new draft which takes the old
> adopted “diff” version and does a full version of 6125. The current
> draft says that a wildcard may be the first, or only, character in the
> left-most DNS name.
>
> Brian Smith and Ryan Sleevi started a discussion on the PR
> https://github.com/richsalz/draft-ietf-uta-rfc6125bis/pull/1#discussion_r663206174
> recommending that the doc should be the *only* character. For
> example, *.apps.example.com is okay, but *apps.example.com is not.
>
> I’d like to know what the WG thinks. As we’re not really using GitHub
> for discussion, please comment on this list.
If (and presumably givent that) support for wildcard names is to
continue to exist, the syntax should be as narrow as possible. So
"only" would be the best choice.
That said, it'be really super if various applications profiles decided
to do away with wildcard certificates entirely. Their $$$ cost
advantage is long gone, and otherwise they just damage security by
enabling cross application protocol attacks, and damage availability by
encouraging simultaneous updates of certificates across independent
service endpoints (e.g. multiple MX hosts sharing a wildcard cert).
So the sooner we can get rid of wildcard certificates entirely, the
better. They've outlived their usefulness.
--
Viktor.
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
