On Thu, Jul 3, 2014 at 3:35 PM, Viktor Dukhovni <openssl-us...@dukhovni.org> wrote: > On Thu, Jul 03, 2014 at 12:28:20PM -0400, Jeffrey Walton wrote: > ... >> Does the entire RFC 6125 apply for hostname matching? If so, two points: >> >> (1) X509_check_host(3)'s description only references tRFC 6125 >> for IDNs presentation, and not the entirety of hostname >> matching. > > 6125 is a litany of woes, not a fixed standard. The flag bits determine > which of the malignancies you tolerate or avoid. That put milk up my nose.
>> (2) The certificates being issued for many sites and services use >> CA/B Forums Baseline Requirement (and EV Guide); and *not* >> the IETF's documents. > > The responsibility to not issue wildcard EV certs is on the CA. As a relying party, I think its up to the client to verify compliance with the policy. Also consider it in other contexts: in SRP, its up to the client to verify the server's parameters (and the server to verify the client's parameters). Neither the client or the server takes the other's word on proper parameter selection. For example, the client MUST abort the handhake if the server selects private key 'b' such that the public key B % N = 0. And the same is true for the server and the client's public key if A % N = 0. Jeff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
