Jim Fenton <fen...@bluepopcorn.net> wrote: > > I would expect subjectAltName to have the same constraints as DNS > entries have, which only allow wildcards for full labels, so I support > only allowing *.apps.example.com.
Well, it's more complicated than that, because it isn't feasible to get certificate wildcards to have the same semantics as DNS wildcards. My understanding is that PKIX wildcard matching originally used glob(3), (with . as the separator instead of /) which is both more relaxed and more restricted than DNS wildcards. It's more relaxed because glob() allows wildcards to appear anywhere. For PKIX, the allowed position of wildcards has been gradually restricted over time. This discussion is about restricting wildcards to just "*." at the start of the name, like DNS wildcards. The complication comes from how matching is done, which is more restricted in PKIX than in the DNS. In the DNS, a wildcard matches any number of labels at the start of the name. In glob() and in PKIX, the wildcard can only match one label. I don't think it is feasible or desirable to make PKIX wildcards match multiple labels like DNS wildcards do. So any description of wildcards should (still) emphasize that even though PKIX and DNS wildcards (now) have the same syntax, they still don't have the same semantics. Tony. -- f.anthony.n.finch <d...@dotat.at> https://dotat.at/ Trafalgar: Mainly northerly 5 to 7, but easterly or northeasterly 6 to gale 8 in far southeast, perhaps severe gale 9 later in far southeast. Moderate or rough. Fair. Good. _______________________________________________ Uta mailing list Uta@ietf.org https://www.ietf.org/mailman/listinfo/uta