On Mon, Jul 17, 2017 at 10:18:40AM -0400, Mark Haney wrote:
On 07/17/2017 09:27 AM, Fraser Tweedale wrote:
https://tools.ietf.org/html/rfc6125#section-7.2
This document states that the wildcard character '*' SHOULD NOT be included in presented identifiers but MAY be checked by application clients (mainly for the sake of backward compatibility with deployed infrastructure).
Furthermore, note that wildcards in dNSName values (SAN), although supported by most clients, are technically a violation of RFC 5280. The deprecation (and now, actual removal in clients) of CN-based validation poses another challenge in this regard.
Some years ago it seemed impossible that CN-based hostname validation, despite being officialy deprecated in RFC 2818 and the deprecation affirmed by RFC 6125, would ever happen. But it has happened. The thing is... "all the clients still support it"... until they don't anymore!
Okay, I'm aware of the reasoning, and the implications of having wildcards in the SAN, but I'm still not seeing like a drop/removal deadline date for this. We handle several hundred certs for our clients, some of which are wildcards, and it would be nice to know when this will become a serious issue long before it bites us in the butt.
(Yeah, I know it's a ginormously stupid question, but I typically don't muck with wildcard certs, so this isn't something I have had to deal with.)
Noone knows "when". Just like noone knew "when" re the CN deprecation, until Google went ahead and did it with not much notice (2 or 3 months).
But the context is: the public PKI had to put all naming info in SANs for quite a while. At the time Google became first mover to disable CN validation, there was nil chance of any impact on the public PKI. This is certainly not the case for wildcards today, but efforts like Let's Encrypt are likely reducing the incidence of wildcard certs in the wild. (OTOH, LE just announced wildcard cert support, albeit with a somewhat restricted scope, so go figure).
Even though there seems to be no hurry, my advice is to encourage and assist customers to begin moving away from wildcard certs, where it is practical to do so.
Cheers, Fraser
-- Mark Haney Network Engineer at NeoNova 919-460-3330 option 1 mark.haney@neonova.net www.neonova.net