On 16/11/2011 03:04, Carl S. Gutekunst wrote:
Robert A. Rosenberg wrote:
Why not use a Certificate with CN=*.*.s8??.psmtp.com (or whatever is
needed to map the s8XX section) to solve this issue? - or is more
than one wild card level invalid or having more than one certificate
with different specificity levels also invalid?
First thing I thought of. :-)
Alas, RFC 6125 explicitly disallows multiple wildcard characters.
Right. This prohibition came from PKIX WG which worked on RFC 5280. I
can try to find out more about the reason, if you want.
I want to read through the archives for the WG that published RFC 6125
so I understand their reasoning better; although they reference RFC
4954, I'm still wondering if the WG had any input from anyone in the
SMTP space. As Tony noted, matching at a single level is incompatible
with DNS's own wildcard semantics. And the document's writing style
and voice feels much more like a BCP, not a standards track protocol
specification.
Yes, the original plan was to have RFC 6125 as a BCP, but there was some
pushback to the idea, thus it is a PS.