[gnutls-devel] More hostname matching goodness

Nikos Mavrogiannopoulos nmav at gnutls.org
Mon Mar 24 21:19:04 CET 2014

On Mon, 2014-03-24 at 15:28 -0400, James Cloos wrote:

> NM> with the intention to completely drop wildcard support at some point.
> Wildcard support should remain indefinitely. 
> It is superior to listing every match in the cert.  Having to churn
> certs just because new hosts are added is riskier than using wildcards.

 I am not really sure about it. It does not make much sense to re-use
the same key and certificate in a large number of hosts. It pretty much
ensures that if any of the hosts is compromised, all of them will.

The main reason this was done is in order to reduce the costs to
CA-issued certificates, but I don't think that this is still the case.

> NM> I'll also restrict the code of existing releases (3.2 and 3.1) to two
> NM> domain components after the wildcard rule,
> Do you mean at least two right of the wildcard or that the wildcard will
> match at most two?

At least two components right of the wildcard.


More information about the Gnutls-devel mailing list