On Fri, Feb 22, 2013 at 03:30:57PM -0800, Geoffrey Keating wrote:
This is clarified in RFC 3280:
When the subjectAltName extension contains a domain name system label, the domain name MUST be stored in the dNSName (an IA5String). The name MUST be in the "preferred name syntax," as specified by RFC 1034 [RFC 1034].
I agree on what that spec says. My concern that that a rooted domain name is (will be?) valid in practice, and is supported by client software seemingly everywhere. The spec for a URL also calls out what constitutes a hostname, and I've yet to see a HTTP client that trips over a rooted domain name. (Yes, I'm aware an alternate bit of terminology has been proposed, but I'm trying to be consistent for the duration of this thread.) Still, I'm not arguing about what should be allowed; I'm trying to come up with the words to explain to end-users. -- Brian Reichert <reichert@numachi.com> BSD admin/developer at large