errata logo graphic

Found 1 record.

Status: Held for Document Update (1)

RFC2818, "HTTP Over TLS", May 2000

Source of RFC: tls (sec)

Errata ID: 1077

Status: Held for Document Update
Type: Editorial

Reported By: Joseph Shraibman
Date Reported: 2007-11-14
Held for Document Update by: Sean Turner
Date Held: 2010-08-10

Section 3.1 says:

    Matching is performed using the matching rules specified by
   [RFC2459].  If more than one identity of a given type is present in
   the certificate (e.g., more than one dNSName name, a match in any one
   of the set is considered acceptable.) Names may contain the wildcard
   character * which is considered to match any single domain name
   component or component fragment. E.g., *.a.com matches foo.a.com but
   not bar.foo.a.com. f*.com matches foo.com but not bar.com.

It should say:

   Matching is performed using the matching rules specified by
   [RFC2459].  If more than one identity of a given type is present in
   the certificate (e.g., more than one dNSName name), a match in any one
   of the set is considered acceptable.  Names may contain the wildcard
   character * which is considered to match any single domain name
   component or component fragment. E.g., *.a.com matches foo.a.com but
   not bar.foo.a.com and f*.com matches foo.com but not bar.com.

Notes:

The submitted errata indicated that multiple wildcards were allowed (e.g., *.*.a.com matches foo.bar.a.com but not foo.com). This is too large of a change to make with an errata. The Security and Application ADs feel a consensus call would be required to make that change. Further, the current practice is to allow only one at the leftmost position. This is being documented in draft-saintandre-tls-server-id-check-09 and its intended to be a BCP.

The errata does however correct a misplaced parentheses, and uses semi-colons to separate examples.


Report New Errata