Ryan Sleevi <[email protected]> wrote: > On Fri, Jul 9, 2021 at 3:03 PM Tony Finch <[email protected]> wrote: > > > My understanding is that PKIX wildcard matching originally used glob(3), > > (with . as the separator instead of /) which is both more relaxed and more > > restricted than DNS wildcards. > > I'm not aware of any implementations with that semantics.
To be honest, that's a vague memory from about 1998 :-) and I think I'm remembering some clone-and-ack code rather than calls to literal glob(3) because glob() wasn't very portable. > > So any description of wildcards should (still) emphasize that even though > > PKIX and DNS wildcards (now) have the same syntax, they still don't have > > the same semantics. > > Are you suggesting that it should continue to emphasize that it only > matches a single domain label, or a more explicit comparison to the DNS > semantics? If the latter, are you thinking by incorporating and referencing > RFC 4592 [2]? I think the latter would be most helpful. I'm not sure if the text should go in section 6.4.3 (spec) or 7.2 (security considerations), but it should say something like: : A wildcard in a presented identifier can only match exactly one label in : a reference identifier. Note that this is not the same as DNS wildcard : matching, where the "*" label always matches at least one whole : label and sometimes more. See [RFC 1034] section 4.3.3 and [RFC 4592]. (quoting part of a sentence from RFC 1034 - and these references should be informative) And while I was looking at how this might fit into the draft, I spotted a mistake in section 7.2. This sentence: : Wildcard certificates automatically vouch for any and all host names : within their domain. should say something like: : Wildcard certificates automatically vouch for any single-label host : names within their domain, but not within subdomains. Tony. -- f.anthony.n.finch <[email protected]> https://dotat.at/ St Davids Head to Great Orme Head, including St Georges Channel: Variable, mainly southeast, 2 to 4. Smooth or slight, occasionally moderate later near st david's head. Showers. Good. _______________________________________________ Uta mailing list [email protected] https://www.ietf.org/mailman/listinfo/uta
