[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

Re: New auth system and hostname mismatch

From: Joe Orton <joe_at_manyfish.co.uk>
Date: 2003-04-22 13:26:49 CEST

On Tue, Apr 22, 2003 at 10:53:38PM +1200, Adam Warner wrote:
> >> BTW the new Mozilla browser has always treated my standard certificate
> >> as a wildcard certificate. If you want to visit a work in progress,
> >> https://nzae.macrology.co.nz you can test this for yourself. You should
> >> find there is absolutely no warning that nzae.macrology.co.nz doesn't
> >> match macrology.co.nz.
> >
> > Visiting with IE throws a warning: "The name on the security certificate
> > is invalid or does not match the name of the site".
>
> Yes, that's why I said Mozilla. I know MSIE enforces this.
>
> Enforcing this simply requires me to transfer ~US$500pa of wealth to a CA
> so they can add *. to the certificate name. It provides zero extra
> security for visitors than simply treating the certificate as wildcard in
> the first place. Think about it.

neon implements the certificate identity checks according to RFC2818,
which require a warning for this.

ra_dav/neon's server cert support is not yet finished: when SVN can
cache certs (or fingerprints) after an initial "this cert, issued to X,
is not trusted for reasons Y and Z" prompt, all these problems go away
(along with the config options).

Regards,

joe

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@subversion.tigris.org
For additional commands, e-mail: dev-help@subversion.tigris.org
Received on Tue Apr 22 13:27:39 2003

This is an archived mail posted to the Subversion Dev mailing list.