How in the world is this under-specified? It's spelled out as clear as can be... Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com. As for Google Chrome, we follow RFC2818 here, and so if you have a cert for *.a.com we will show a warning for bar.foo.a.com. So far as I can tell, IE and Safari also do the same. On Wed, Sep 24, 2008 at 9:15 AM, Thomas Roessler <tlr@w3.org> wrote: > Hello, > > during today's call, we realized that RFC 2818 seems underspecified in > terms of what's permissible in wildcard certificates; Yngve told us that > Opera only accepts the wildcard in the first label of a DNS name that > appears in a certificate. > > I.e., *.bar.com can match foo.bar.com, but foo.*.com wouldn't match > foo.bar.com, in Opera. > > How do Mozilla and Chrome and Konqueror behave? > > Thanks, > -- > Thomas Roessler, W3C <tlr@w3.org> > > > > >
Received on Wednesday, 24 September 2008 16:23:49 UTC