[SSL Observatory] Name constraints: a reasonable idea that hasn't panned out in practice

Daniel Veditz dveditz at mozilla.com
Thu May 5 01:02:46 PDT 2011


On 4/22/11 4:44 PM, Erwann ABALEA wrote:
> Wildcard certificates were verified with different rules wether
> IE/CAPI or FF/NSS was used, if memory serves right; I think
> FF/NSS considered that something like "*.domain.com" could match 
> "very.secure.domain.com", for example, but IE didn't. Lack of 
> standardization.

The wildcard rules are very clearly spelled out in the standards,
but for a long time NSS continued to follow pre-standard historical
behavior. Initially to avoid breaking customers using that feature
in Netscape's and later iPlanet's servers, but then far too long
after that on inertia alone. It's all good now though. What does
that have to do with NameConstraints?

-Dan Veditz



More information about the Observatory mailing list