> Perhaps the best method would actually be to match only "*." at the
> beginning of the CN for now, and see if people complain? I would much
> like someone who knows more about what would be reasonable to speak up
> here, but it seems we don't have anybody here who knows...
I would encourage you to adopt a solution where * matches only a
single pathname component. This seems to be the intention of both
RFC2818 and RFC2595. It is also the behavior of IE7; FF2 seems to
deviate from the spec.
http://www.hanselman.com/blog/SomeTroubleWithWildcardSSLCertificatesFireFoxAndRFC2818.aspx
There are several other advantages of this approach that seem worth mentioning:
1. If you make it match a single pathname component now, and later
decide that you were wrong and change your mind, it is guaranteed not
to break any working installations. The reverse is not true.
2. I can't see any possible way that matching a single component could
create security holes that would be eliminated by matching multiple
components, but I'm more skeptical about the other direction. What
about the old DNS hack where you create a DNS record for
example.com.sample.com and hijack connections intended for example.com
made by people whose default DNS suffix is sample.com? There may be
reason to believe this isn't a problem, but matching less seems like
it can't possibly be a bad thing.
3. It would be truly bizarre if www*.example.com matched
www17.some.stuff.in.the.middle.example.com. (That having been said, I
wouldn't worry about wildcards intended to match part of a component
too much. I suspect that it's an extremely rare case, and we can
always add support later if there is demand for it. Not worrying
about this now will help keep the code simple and free of bugs, always
good in a security-critical context.)
...Robert