> On 12 Jul 2021, at 2:06 pm, Jim Fenton <[email protected]> wrote:
>
>> A client employing this specification's rules MAY match the reference
>> identifier against a presented identifier whose DNS domain name portion
>> contains the wildcard character "*"
>
> I questioned the MAY in this sentence, because it seems to me that if
> recognizing wildcard certificates was entirely optional, then wildcards can’t
> be depended upon and are basically useless.
Indeed "MAY" is correct. Clients are free to not support wildcards,
just as they're free to refuse to recognise certificates for particular
domains, or issued by particular CAs, or expiring too far in the future, ...
Support for wildcards in RFC 6125 is application-protocol specific, see
Appedix B.
Web browsers should expect to encounter and support wildcards. Other
applications, or isolated networks, ... MAY choose to not support them.
--
Viktor.
_______________________________________________
Uta mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/uta
