[Top] [All Lists]

Re: Any interest in rigorous definition for SSL certificate verification in SMTP?

2011-11-15 21:19:28

Robert A. Rosenberg wrote:
Why not use a Certificate with CN=*.*.s8?? (or whatever is needed to map the s8XX section) to solve this issue? - or is more than one wild card level invalid or having more than one certificate with different specificity levels also invalid?

First thing I thought of. :-)

Alas, RFC 6125 explicitly disallows multiple wildcard characters.

I want to read through the archives for the WG that published RFC 6125 so I understand their reasoning better; although they reference RFC 4954, I'm still wondering if the WG had any input from anyone in the SMTP space. As Tony noted, matching at a single level is incompatible with DNS's own wildcard semantics. And the document's writing style and voice feels much more like a BCP, not a standards track protocol specification.


<Prev in Thread] Current Thread [Next in Thread>