Re: Remembering Passwords in IE

[scott () RENFRO ORG (Scott Renfro)]

On Wed, Apr 05, 2000 at 06:35:02PM +0100, Dom De Vitto wrote:
> I've a client that has two sets of systems, live and test.
>
> Live systems are https://www.whatever, test is https://www-test.whatever
>
> Though setup with identical files & certs (just different names)
> www-test never spits out any complaints from our browsers....
>
> I think the hostname->cert matching is "optional"...

The hostname->subject common name check isn't optional (or shouldn't
be and doesn't appear to be on NS and IE5), but both browsers
support the use of a '*' wildcard to allow matching multiple
machines in a single domain.

So a certificate issued to *.example.com would pass the name
check for www.example.com, test.example.com, and rogue.example.com.
The version 4 browsers (I haven't tried this lately) would
allow the * to be used to mask out larger namespaces (e.g.,
*.com). I don't remember, but it seems that one or more
browsers allowed a common name of '*' to match any domain name.

In practice, the rogue use of this feature (e.g., getting a
cert issued to '*' rather than '*.example.com') is supposed to
be prevented by diligent Certification Authorities.  Are all
the issuing CAs under these 107 trusted root CAs that ship
with IE5 applying this diligence? Your guess is as good as mine.

-scott