Comment 30 for bug 376484

(In reply to comment #29)
> I concur with the reporter of bug 401317 that certs with simple host names
> should not validate. What does IE do with them?

They work under IE (that's probably why CAs are issuing them in the first place). CN=* doesn't work at all with IE, which would be an argument for dropping support for this in NSS as well. So we would have:

   /* for a cn pattern to be considered valid, the wildcard character...
      - may occur in an FQDN only
      - may occur in the first component only, and must be its last character
      - may occur only once
      - may be preceded by additional characters
    */

Does that sound like a reasonable solution to our problem?

(Re:
> I would be willing to impose a new restriction, that wildcards must be
> followed by at least two dots (that is, two domains) excluding a trailing
> dot, which I do not propose to ignore

That's basically a good idea, but it has the drawback that it isn't really a "universal" solution - there is a considerable number of TLDs where more that two dots would be required to make this restriction effective [see http://lxr.mozilla.org/mozilla/source/netwerk/dns/src/effective_tld_names.dat and bug 331510 [the nsEffectiveTLDService] for what Necko is doing about this - maybe PSM could make use of it?.)