[SSL Observatory] Name constraints: a reasonable idea that hasn't panned out in practice
=JeffH
Jeff.Hodges at KingsMountain.com
Fri Apr 22 18:25:47 PDT 2011
> Identity verification when receiving a certificate is really a mess,
> as it's not covered at all neither in X.509 nor in RFC2459/3280/5280,
> as it's dependent on the protocol/application using the cert. Wildcard
> certificates were verified with different rules wether IE/CAPI or
> FF/NSS was used, if memory serves right; I think FF/NSS considered
> that something like "*.domain.com" could match
> "very.secure.domain.com", for example, but IE didn't. Lack of
> standardization.
yes, that's a bunch of the reasons we hunkered down and got RFC 6125 written.
It attempts to make the above more uniform...
=JeffH
More information about the Observatory
mailing list