On Mon, Feb 25, 2013 at 12:18:00PM -0500, Jay Ashworth wrote:
If I understood Brian correctly, his problem is that people/programs are trying to retrieve things from, eg:
https://my.host.name./this/is/a/path
and the SSL library fails the certificate match if the cert doesn't contain the absolute domain name as an altName -- because *the browser* (or whatever) does not normalize before calling the library.
I'd argue that if you have an absolute domain name, then that _is_ the 'normalized' form of the domain name; it's an unambigious representation of the domain name. (Here, I'm treating the string as a serialized data structure.) Choosing to remove the notion of "this is rooted", and then asking any (all?) other layers to handle the introduced ambiguity sounds like setting yourself up for the issues that RFC 1535 was drawing attention to.
Cheers, -- jra -- Jay R. Ashworth Baylink jra@baylink.com Designer The Things I Think RFC 2100 Ashworth & Associates http://baylink.pitas.com 2000 Land Rover DII St Petersburg FL USA #natog +1 727 647 1274
-- Brian Reichert <reichert@numachi.com> BSD admin/developer at large