(In reply to comment #39)
> Kaspar, In comment 30. You wrote;
>
> > CN=* doesn't work at all with IE,
>
> Some followup questions to that:
>
> Do you mean that a cert with CN=* will not match against a "simple host
> name" URL such as https://myhost/ in IE?
> Or do you mean only that it will not match any names containing dots?
> Or do you mean that "*" is allowed only in Subject Alt Names, not in CN ?
"*" doesn't match any unqualified ("dotless") name in IE, no matter if there's a CN=* or a dNSName entry with "*" in the subjectAltName extension. (And IE doesn't allow "*" to match for any host name which includes a dot either, of course - that's what I meant when saying "doesn't work at all".)
> Do you know what test/rule makes it fail?
I can't say what specific rule(s) IE uses, as I haven't seen its sources :-) But from all my tests I conclude that IE's rules are pretty similar to the ones which are now proposed by the latest patch (attachment 290963).
> Does IE require that at least one dot follow an askerisk?
Yes - and more than a dot must follow, actually: "CN=*." (or a subjectAltName entry with this pattern, for that matter) doesn't work for "https://myhost./", e.g.
> Does *.com work with IE?
No.
> There seems to be a desire to allow "*" to match simple host names (names
> with no dots), and I do not see that any of the above-cited RFCs disallows it.
> OTOH, if it doesn't work with IE, then there is a pretty good case for
> not supporting it.
Yes, this was also the conclusion I came to in comment 30, based on which I implemented v2 of the patch (attachment 289348, which is now obsoleted by v3).
(In reply to comment #39) /myhost/ in IE?
> Kaspar, In comment 30. You wrote;
>
> > CN=* doesn't work at all with IE,
>
> Some followup questions to that:
>
> Do you mean that a cert with CN=* will not match against a "simple host
> name" URL such as https:/
> Or do you mean only that it will not match any names containing dots?
> Or do you mean that "*" is allowed only in Subject Alt Names, not in CN ?
"*" doesn't match any unqualified ("dotless") name in IE, no matter if there's a CN=* or a dNSName entry with "*" in the subjectAltName extension. (And IE doesn't allow "*" to match for any host name which includes a dot either, of course - that's what I meant when saying "doesn't work at all".)
> Do you know what test/rule makes it fail?
I can't say what specific rule(s) IE uses, as I haven't seen its sources :-) But from all my tests I conclude that IE's rules are pretty similar to the ones which are now proposed by the latest patch (attachment 290963).
> Does IE require that at least one dot follow an askerisk?
Yes - and more than a dot must follow, actually: "CN=*." (or a subjectAltName entry with this pattern, for that matter) doesn't work for "https:/ /myhost. /", e.g.
> Does *.com work with IE?
No.
> There seems to be a desire to allow "*" to match simple host names (names
> with no dots), and I do not see that any of the above-cited RFCs disallows it.
> OTOH, if it doesn't work with IE, then there is a pretty good case for
> not supporting it.
Yes, this was also the conclusion I came to in comment 30, based on which I implemented v2 of the patch (attachment 289348, which is now obsoleted by v3).