RFC Errata


Errata Search

 
Source of RFC  
Summary Table Full Records

RFC 2595, "Using TLS with IMAP, POP3 and ACAP", June 1999

Source of RFC: Legacy
Area Assignment: app

Errata ID: 1076
Status: Held for Document Update
Type: Technical
Publication Format(s) : TEXT

Reported By: Joseph Shraibman
Date Reported: 2007-11-14
Held for Document Update by: Alexey Melnikov
Date Held: 2010-09-03

Section 2.4 says:

- A "*" wildcard character MAY be used as the left-most name
     component in the certificate.  For example, *.example.com would
     match a.example.com, foo.example.com, etc. but would not match
     example.com.

It should say:

- A "*" wildcard character MAY be used for the left-most name
     components in the certificate.  For example, *.example.com would
     match a.example.com, foo.example.com, etc. but would not match
     example.com or foo.bar.example.com.  *.*.example.com would match 
     foo.bar.example.com but would not match foo.example.com.

Notes:

It seems the original wording unintentionally disallowed certificates with *.* wildcards.

Alexey: The submitted errata indicated that multiple wildcards were allowed (e.g., *.*.a.com matches foo.bar.a.com but not foo.com). This is too large of a change to make with an errata. The Security and Application ADs feel a consensus call would be required to make that change. Further, the current practice is to allow only one at the leftmost position. This is being documented in draft-saintandre-tls-server-id-check and its intended to be a BCP.

Report New Errata