Redirecting to the right place...
Section 4.3.3 seems somewhat relevant, and does seem in line with
Firefox's behavior, with one possible exception -- if DNS information
exists for a subdomain, the wildcard is not applied for that
particular subdomain, or any its subdomains. It's not immediately
clear to me how this exception could be applied to SSL certs.
Firefox's behavior seems fairly reasonable to me, if not the norm.
Matt (or anyone), do you know of any discussion on the Firefox
development lists about this behavior?
----- Forwarded message from Matt Bodley <email@example.com> -----
Date: Thu, 06 Sep 2007 09:39:40 +1200
From: Matt Bodley <firstname.lastname@example.org>
To: Daniel Rall <email@example.com>
Subject: Re: patch SSL certificate warning
Daniel Rall wrote:
>On Wed, 05 Sep 2007, Matt Bodley wrote:
>>I am wondering whether anyone is working on fixing the "hostname does
>>not match" warning when a hostname such as "xxx.secondlevel.domain.com"
>>is accessed with an SSL Cert authorized for "*.domain.com".
>>This is an interesting issue as FireFox has responded accordingly, and
>>treats the above as valid, but Internet Explorer doesn't yet.
>>Because, really, it should behave like FireFox....
>Matt, can you point us to the RFC that documents the proper behavior
>here? Every app I've ever used (up until Firefox) does not have this
http://www.ietf.org/rfc/rfc1034.txt explains the treatment for things
like MX records, and also IP addresses in DNS records, which are
consistent with what I mentioned, I cannot seem to find any specific RFC
on SSL certificates however..
I agree that up until now, most apps do not have this behavior. However,
I think the current treatment was imposed by default by Microsoft in IE,
and I think most would agree that it is much better for the Internet in
general to have the behavior as Firefox is leading, as it reduces the
cost of websites worldwide and increases the security of those websites
(there is no lesser security with this behavior, and more people will
opt for SSL certificates in this manner as the cost is lower).
----- End forwarded message -----
Received on Thu Sep 6 01:31:14 2007
- application/pgp-signature attachment: stored