[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Wildcard DNS. Re: rfc 3280bis

To: "David A. Cooper" <david.cooper@xxxxxxxx>
Subject: Re: Wildcard DNS. Re: rfc 3280bis
From: "Anders Rundgren" <anders.rundgren@xxxxxxxxx>
Date: Thu, 24 Jan 2008 00:42:46 +0100
Cc: "pkix" <ietf-pkix@xxxxxxx>
List-archive: <http://www.imc.org/ietf-pkix/mail-archive/>
List-id: <ietf-pkix.imc.org>
List-unsubscribe: <mailto:ietf-pkix-request@imc.org?body=unsubscribe>
References: <478B48A7.5020908@xxxxxxxxxx> <478B98A7.1020805@xxxxxxxx> <> <478DFC8E.4040607@xxxxxxxxxx> <9F11911AED01D24BAA1C2355723C3D320AB9C9CE1E@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx> <47976D2B.40206@xxxxxxxx> <> <4797CB9E.3090206@xxxxxxxx>
Sender: owner-ietf-pkix@xxxxxxxxxxxx

Dave,
I think you are touching another issue, SAN is not always used
( https://www.verisign.com ) and for wildcards it does not make
sense to use it either since all clients understand CN.
For multiple discrete hosts SAN is of course used.

Home-brewed wild-card certificate (which apparently
is accepted by Microsoft's CardSpace):
https://infocard.pingidentity.com/cardspace/

If your desire is outlawing wildcards in SAN I guess you have
no problem but OTOH I don't see that you got rid of *.domains
which I thought was the prime consideration.

Anders

----- Original Message ----- 
From: "David A. Cooper" <david.cooper@xxxxxxxx>
To: "Anders Rundgren" <anders.rundgren@xxxxxxxxx>
Cc: "pkix" <ietf-pkix@xxxxxxx>
Sent: Thursday, January 24, 2008 00:19
Subject: Re: Wildcard DNS. Re: rfc 3280bis

Can you confirm that these wildcard SSL certificates include the DNS 
name in the dNSName field of the subjectAltName extension rather than in 
a common name attribute in the subject field?  I could not find any 
wildcard certificates, but the web site implies that the common name 
attribute is used in the wildcard SSL certificates and that the 
subjectAltName extension does not include DNS names with wildcards.

Dave

Anders Rundgren wrote:
> Certificates with wildcards are fairly widely used because they
> can save you both hassles and money.
>
> Issuer: https://www.godaddy.com/gdshop/ssl/ssl.asp?ci=8979  A major issuer of SSL certs.
>
> That is, it does not matter what 3280bis says, this is de-facto standard
> and I doubt that Microsoft intends to remove support for this in MSIE.
>
> If an issuer creates a certificate for *.com it is a bad issuer while
> *.mycompany.com is ok.  Bad issuers don't have their roots
> deployed in browsers so I don't see what the problem is.  If
> you have bad issuers nothing really helps.
>
> Anders
>
>
>

References:
- rfc 3280bis
  - From: Peter Sylvester
- Re: rfc 3280bis
  - From: David A. Cooper
- Re: rfc 3280bis
  - From: Stephen Kent
- Re: rfc 3280bis
  - From: Peter Sylvester
- RE: rfc 3280bis
  - From: Stefan Santesson
- Re: rfc 3280bis
  - From: David A. Cooper
- Wildcard DNS. Re: rfc 3280bis
  - From: Anders Rundgren
- Re: Wildcard DNS. Re: rfc 3280bis
  - From: David A. Cooper

Prev by Date: Re: Wildcard DNS. Re: rfc 3280bis
Previous by thread: Re: Wildcard DNS. Re: rfc 3280bis
Next by thread: RE: rfc 3280bis
Index(es):
- Date
- Thread