MoinQ: ACME/WildCardCertificate/6125

ACME/WildCardCertificate/6125について、ここに記述してください。

6.4.3. Checking of Wildcard Certificates

   A client employing this specification's rules MAY match the reference
   identifier against a presented identifier whose DNS domain name
   portion contains the wildcard character '*' as part or all of a label
   (following the description of labels and domain names in [DNS-CONCEPTS]).

   For information regarding the security characteristics of wildcard
   certificates, see Section 7.2.

'*'はラベルの一部として、または全部として現れてよい。(不必要な言及)

   If a client matches the reference identifier against a presented
   identifier whose DNS domain name portion contains the wildcard
   character '*', the following rules apply:

   1.  The client SHOULD NOT attempt to match a presented identifier in
       which the wildcard character comprises a label other than the
       left-most label (e.g., do not match bar.*.example.net).

最左端つまり最初のラベルだけに使ってもよい。

   2.  If the wildcard character is the only character of the left-most
       label in the presented identifier, the client SHOULD NOT compare
       against anything but the left-most label of the reference
       identifier (e.g., *.example.com would match foo.example.com but
       not bar.foo.example.com or example.com).

'*'が単独のラベルとして使われた場合には、最左端のラベルのラベルだけにマッチする。

   3.  The client MAY match a presented identifier in which the wildcard
       character is not the only character of the label (e.g.,
       baz*.example.net and *baz.example.net and b*z.example.net would
       be taken to match baz1.example.net and foobaz.example.net and
       buzz.example.net, respectively).  However, the client SHOULD NOT
       attempt to match a presented identifier where the wildcard
       character is embedded within an A-label or U-label [IDNA-DEFS] of
       an internationalized domain name [IDNA-PROTO].

'*'がラベルの一部に現れる場合、IDAとはマッチしないものとする。

• matchする例：　(必要があるとも思えない例だ。)

　　 baz*.example.net : baz1.example.net
     *baz.example.net : foobaz.example.net
     b*z.example.net  : buzz.example.net

1. 議論

もっともっと議論が必要な状況だ。

Support for certificate partial wildcard in middle of identifier https://github.com/openssl/openssl/issues/4293

https://www.rfc-editor.org/errata_search.php?rfc=6125

richsalz commented on Aug 31, 2017

Wildcards are risky as the errata shows.
However they are widely used, with "*.foo.bar" as the only form that is in public use,
so supporting that is reasonable.
Embedded wildcards are more risky and there is no demand for them.

Wed, 06 October 2010 21:47 https://mailarchive.ietf.org/arch/msg/certid/wJqsOTEl1oWtjU8enZmvEIzAS6o