Mike 'Mike' Jones <mike.jones@manchester.ac.uk> wrote:
On the subject of wild cards, a number of browsers support the use of the asterisks as wild cards in the CN field of a DNS style CN. e.g. *.google.com; does this document need a comment to this effect?
One reference for this behavior is Section 3.1 (Server Identity) of RFC 2818 (HTTP Over TLS). If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead. Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com. -Jim