(In reply to comment #29)
> I concur with the reporter of bug 401317 that certs with simple host names
> should not validate. What does IE do with them?
They work under IE (that's probably why CAs are issuing them in the first place). CN=* doesn't work at all with IE, which would be an argument for dropping support for this in NSS as well. So we would have:
/* for a cn pattern to be considered valid, the wildcard character...
- may occur in an FQDN only
- may occur in the first component only, and must be its last character
- may occur only once
- may be preceded by additional characters
*/
Does that sound like a reasonable solution to our problem?
(Re:
> I would be willing to impose a new restriction, that wildcards must be
> followed by at least two dots (that is, two domains) excluding a trailing
> dot, which I do not propose to ignore
That's basically a good idea, but it has the drawback that it isn't really a "universal" solution - there is a considerable number of TLDs where more that two dots would be required to make this restriction effective [see http://lxr.mozilla.org/mozilla/source/netwerk/dns/src/effective_tld_names.dat and bug 331510 [the nsEffectiveTLDService] for what Necko is doing about this - maybe PSM could make use of it?.)
(In reply to comment #29)
> I concur with the reporter of bug 401317 that certs with simple host names
> should not validate. What does IE do with them?
They work under IE (that's probably why CAs are issuing them in the first place). CN=* doesn't work at all with IE, which would be an argument for dropping support for this in NSS as well. So we would have:
/* for a cn pattern to be considered valid, the wildcard character...
- may occur in an FQDN only
- may occur in the first component only, and must be its last character
- may occur only once
- may be preceded by additional characters
*/
Does that sound like a reasonable solution to our problem?
(Re:
> I would be willing to impose a new restriction, that wildcards must be
> followed by at least two dots (that is, two domains) excluding a trailing
> dot, which I do not propose to ignore
That's basically a good idea, but it has the drawback that it isn't really a "universal" solution - there is a considerable number of TLDs where more that two dots would be required to make this restriction effective [see http:// lxr.mozilla. org/mozilla/ source/ netwerk/ dns/src/ effective_ tld_names. dat and bug 331510 [the nsEffectiveTLDS ervice] for what Necko is doing about this - maybe PSM could make use of it?.)