Comment 6 for bug 376484

Perhaps this bug can be RESOLVED as WORKSFORME.
Since it was filed, several changes were made to the comparison of
host names in URLs and host names in certs. IIRC, steps 1 and 4 were
determined to be vulnerabilities, and were eliminated.
Bug 103752 was implemented and SANs are now supported per RFC 2818.

There are some issues that remain that get occasional grumbles, and
are probably the subjects of other bugs. They are:

a) NSS ignores a cert's subject CommonNames if/when there are DNS names
in the subject Alternate Names extension. This is due to a very literal
reading of RFC 2818. IE will match names from either place, even when
DNS names are present in the SAN.

b) (as reported in comment 0), NSS matches a "*" to any characters,
whereas RFC 2818 suggests it should not match a ".". We do this for
backwards compatibility with NSS's original spec on pattern matching.

c) NSS accepts at most one Subject Common Name, the most specific one.
This is specified in RFC 2818, but some CAs think that multiple CNs
should be allowed.

Of these issues, Perhaps I could be persuaded to change the first two.