[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: rfc 3280bis
I agree to the change proposals before this one.
I would not oppose the wildcard amendment either IF it turns out to be non-controversial to include the change.
"*" is indeed used in commercial certificates today, so it definitely represents a real need.
Stefan Santesson
Senior Program Manager
Windows Security, Standards
> -----Original Message-----
> From: owner-ietf-pkix@xxxxxxxxxxxx [mailto:owner-ietf-
> pkix@xxxxxxxxxxxx] On Behalf Of Peter Sylvester
> Sent: den 16 januari 2008 13:46
> To: Stephen Kent
> Cc: David A. Cooper; pkix
> Subject: Re: rfc 3280bis
>
> And what about '*.foo.net'? I cite from SCVP.
>
> If the nameCompAlgId supplied in the request is id-kp-serverAuth
> [PKIX-1 <http://tools.ietf.org/html/draft-ietf-pkix-scvp-32#ref-
> PKIX-1>], then GeneralNames supplied in the request MUST be a
> dNSName, and the matching rules to be used are defined in [PKIX-1
> <http://tools.ietf.org/html/draft-ietf-pkix-scvp-32#ref-PKIX-1>].
>
> If a subjectAltName extension is present and includes one or more
> names of type dNSName, a match in any one of the set is considered
> acceptable. If the subjectAltName extension is omitted, or does not
> include any names of type dNSName, the (most specific) Common Name
> field in the Subject field of the certificate MUST be used.
>
> Names may contain the wildcard character * which is considered to
> match any single domain name component. That is, *.a.com matches
> foo.a.com but not bar.foo.a.com.
>
>
> I think that something like the three lines above should be included in
> 3280bis?
>
>
> Stephen Kent wrote:
> >
> > David,
> >
> > Then let's make this late minute fix, and keep Sam informed.
> >
> > Steve
> >
> >
>
>
> --
> To verify the signature, see http://edelpki.edelweb.fr/
> Cela vous permet de charger le certificat de l'autorité;
> die Liste mit zurückgerufenen Zertifikaten finden Sie da auch.
>