[caops-wg] [igtf-general] Re: Grid Certificate Profile version 0.20
Jim Basney
jbasney at ncsa.uiuc.edu
Thu Mar 15 09:11:23 CDT 2007
Mike 'Mike' Jones <mike.jones at manchester.ac.uk> wrote:
> On the subject of wild cards, a number of browsers support the use of the
> asterisks as wild cards in the CN field of a DNS style CN. e.g.
> *.google.com; does this document need a comment to this effect?
One reference for this behavior is Section 3.1 (Server Identity) of RFC
2818 (HTTP Over TLS).
If a subjectAltName extension of type dNSName is present, that MUST
be used as the identity. Otherwise, the (most specific) Common Name
field in the Subject field of the certificate MUST be used. Although
the use of the Common Name is existing practice, it is deprecated and
Certification Authorities are encouraged to use the dNSName instead.
Matching is performed using the matching rules specified by
[RFC2459]. If more than one identity of a given type is present in
the certificate (e.g., more than one dNSName name, a match in any one
of the set is considered acceptable.) Names may contain the wildcard
character * which is considered to match any single domain name
component or component fragment. E.g., *.a.com matches foo.a.com but
not bar.foo.a.com. f*.com matches foo.com but not bar.com.
-Jim
More information about the caops-wg
mailing list