RFC Errata
Found 1 record.
Status: Held for Document Update (1)
RFC 2818, "HTTP Over TLS", May 2000
Note: This RFC has been obsoleted by RFC 9110
Note: This RFC has been updated by RFC 5785, RFC 7230
Source of RFC: tls (sec)
Errata ID: 1077
Status: Held for Document Update
Type: Editorial
Publication Format(s) : TEXT
Reported By: Joseph Shraibman
Date Reported: 2007-11-14
Held for Document Update by: Sean Turner
Date Held: 2010-08-10
Section 3.1 says:
Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name, a match in any one of the set is considered acceptable.) Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com. f*.com matches foo.com but not bar.com.
It should say:
Matching is performed using the matching rules specified by [RFC2459]. If more than one identity of a given type is present in the certificate (e.g., more than one dNSName name), a match in any one of the set is considered acceptable. Names may contain the wildcard character * which is considered to match any single domain name component or component fragment. E.g., *.a.com matches foo.a.com but not bar.foo.a.com and f*.com matches foo.com but not bar.com.
Notes:
The submitted errata indicated that multiple wildcards were allowed (e.g., *.*.a.com matches foo.bar.a.com but not foo.com). This is too large of a change to make with an errata. The Security and Application ADs feel a consensus call would be required to make that change. Further, the current practice is to allow only one at the leftmost position. This is being documented in draft-saintandre-tls-server-id-check-09 and its intended to be a BCP.
The errata does however correct a misplaced parentheses, and uses semi-colons to separate examples.