Re: rfc 3280bis

[Stephen Kent <kent@xxxxxxx>]

At 5:20 PM +0100 1/23/08, Alfredo Esposito wrote:
> If a certifcate has to bind a person/object/server/device to a 
> public key, what does a wildcard name mean?
>
> Dino Esposito

Exactly.

Wildcard DNS naming is intended to communicate the notion that the 
cert Subject is authorized to represent a range of DNS names.  I 
dislike this because it is taking DNS syntax and misusing it.  Note 
that for IP addresses, another form of alt name, we created a new 
extension in RFC 3779 to explicitly represent authorization for 
addresses and to express ranges of such addresses.  We also defined 
extensions to cert path validation to describe how to process these 
extensions in a cert path. If we want to do the same for DNS names, 
we have an example of a way to do this, rather than trying to hack 
the DNS alt name representation and NOT providing explicit semantics 
for the result.

Steve