Comment 21 for bug 376484

(In reply to comment #18)
> Should we allow a single terminating dot?

I don't recommend doing so (or if we really do, then we should just strip off a trailing dot at the beginning of cert_TestHostName, and not modify _shexp_match further).

> I seem to recall DNS names can be terminated with a dot.

They're not permitted RFC-wise, actually... RFC 952 says:

   1. A "name" (Net, Host, Gateway, or Domain name) is a text string up
   to 24 characters drawn from the alphabet (A-Z), digits (0-9), minus
   sign (-), and period (.). Note that periods are only allowed when
   they serve to delimit components of "domain style names". (See
   RFC-921, "Domain Name System Implementation Schedule", for
   background). No blank or space characters are permitted as part of a
   name. No distinction is made between upper and lower case. The first
   character must be an alpha character. The last character must not be
   a minus sign or period.

[Note that RFC 1123 slightly changes one of these requirements:

      The syntax of a legal Internet host name was specified in RFC-952
      [DNS:4]. One aspect of host name syntax is hereby changed: the
      restriction on the first character is relaxed to allow either a
      letter or a digit. Host software MUST support this more liberal
      syntax.

 I'm not aware of any other updates to RFC 952 which would change this syntax.]

The "trailing dot issue" is actually the topic of bug 134402, and normalizing the hostname in PSM (maybe even in Necko?) seems like the better fix to me. (If really considered appropriate/necessary - IE7 e.g. also treats www.example.com and www.example.com. as different names, as does Opera.)