On Mon, Jul 12, 2021 at 02:14:39PM -0700, Brian Smith wrote:
> I think the important point is that RFC 6125 can specify the syntax of a
> wildcard, and we can specify how to match a reference ID against it,
> without having to dive into determining whether the CA should have issued
> that wildcard and/or what other validation of the wildcard needs to be
> done. I.e. that further validation happens outside (before, after, or in
> parallel to) RFC 6125 processing.
Yes, just syntax and semantics, but not the operational outcome. The
relying party learns that the CA has bound the public key to all
single-label subdomains of the domain that follows the "*" label.
What the relying party does with that information is not specified,
though in practice most RPs will do what is generally expected for the
application in question. Many applications presently support wildcards.
Wildcards are still a bad when other options are available, and server
operators should avoid them whenever possible.
--
Viktor.
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
