Message 291040 - Python tracker

➜

This issue tracker has been migrated to GitHub, and is currently read-only.
For more information, see the GitHub FAQs in the Python's Developer Guide.

Author	christian.heimes
Recipients	alex, benjamin.peterson, christian.heimes, dstufft, ned.deily, pitrou, rhettinger
Date	2017-04-02.18:06:40
SpamBayes Score	-1.0
Marked as misclassified	Yes
Message-id	<[email protected]>
In-reply-to

Content
Ned, Benjamin, are you ok with a backport to 2.7 and 3.6? Substring (aka partial) matching of wildcards is a MAY feature according to RFC 6125 https://tools.ietf.org/html/rfc6125#section-6.4.3 . They are a violation of CA/B Form's baseline requirements, so no publicaly trusted cert may contain a CN or SAN entry with a partial wildcard. Several libraries and languages do not implement the feature either. Improper wildcard matching caused a bunch of security issues and CVEs in Python.

Ned, Benjamin,

are you ok with a backport to 2.7 and 3.6? Substring (aka partial) matching of wildcards is a MAY feature according to RFC 6125 https://tools.ietf.org/html/rfc6125#section-6.4.3 . They are a violation of CA/B Form's baseline requirements, so no publicaly trusted cert may contain a CN or SAN entry with a partial wildcard. Several libraries and languages do not implement the feature either. Improper wildcard matching caused a bunch of security issues and CVEs in Python.

History
Date	User	Action	Args
2017-04-02 18:06:40	christian.heimes	set	recipients: + christian.heimes, rhettinger, pitrou, benjamin.peterson, ned.deily, alex, dstufft
2017-04-02 18:06:40	christian.heimes	set	messageid: <[email protected]>
2017-04-02 18:06:40	christian.heimes	link	issue23033 messages
2017-04-02 18:06:40	christian.heimes	create