Comment 47 for bug 376484

This is really problematic since zone delagation possibility extend the validity of the certificate to untrusted fqdn or organisations and this has obvious security issues !

This is easy to understand: *.domain.com in the cn stands for any domain name under .domain.com. * matches everything but the dot ! This is how trusted CAs treat it according to RFC 2818.

With perl the regex to achieve this is as simple as:

/^[^\.]+\.domain\.com$/

this should normally not take years to implement ? Can you please give a final decision on that ?

IE 6 and 7 now implement it that way !!