RFC 2595, "Using TLS with IMAP, POP3 and ACAP", June 1999Source of RFC: Legacy
Area Assignment: app
Errata ID: 1076
Status: Held for Document Update
Publication Format(s) : TEXT
Reported By: Joseph Shraibman
Date Reported: 2007-11-14
Held for Document Update by: Alexey Melnikov
Date Held: 2010-09-03
Section 2.4 says:
- A "*" wildcard character MAY be used as the left-most name component in the certificate. For example, *.example.com would match a.example.com, foo.example.com, etc. but would not match example.com.
It should say:
- A "*" wildcard character MAY be used for the left-most name components in the certificate. For example, *.example.com would match a.example.com, foo.example.com, etc. but would not match example.com or foo.bar.example.com. *.*.example.com would match foo.bar.example.com but would not match foo.example.com.
It seems the original wording unintentionally disallowed certificates with *.* wildcards.
Alexey: The submitted errata indicated that multiple wildcards were allowed (e.g., *.*.a.com matches foo.bar.a.com but not foo.com). This is too large of a change to make with an errata. The Security and Application ADs feel a consensus call would be required to make that change. Further, the current practice is to allow only one at the leftmost position. This is being documented in draft-saintandre-tls-server-id-check and its intended to be a BCP.