Re: Remembering Passwords in IE

[mhallacy () MERCURY XTRATYME COM (Matthew S. Hallacy)]

> > The hostname->subject common name check isn't optional (or shouldn't
> > be and doesn't appear to be on NS and IE5), but both browsers
> > support the use of a '*' wildcard to allow matching multiple
> > machines in a single domain.
> >
> > So a certificate issued to *.example.com would pass the name
> > check for www.example.com, test.example.com, and rogue.example.com.
> > The version 4 browsers (I haven't tried this lately) would
> > allow the * to be used to mask out larger namespaces (e.g.,
> > *.com). I don't remember, but it seems that one or more
> > browsers allowed a common name of '*' to match any domain name.
> >
> > In practice, the rogue use of this feature (e.g., getting a
> > cert issued to '*' rather than '*.example.com') is supposed to
> > be prevented by diligent Certification Authorities.  Are all
> > the issuing CAs under these 107 trusted root CAs that ship
> > with IE5 applying this diligence? Your guess is as good as mine.

Actually, www.mp3.com, click on the 'my.mp3.com' link, their cert was
issued by 'Thawte Server CA' for '*.mp3.com' valid from 2/14/00 to 2/27/01

CN = *.mp3.com
OU = Engineering
O = MP3.COM, INC.
L = San Diego
S = California
C = US

MSIE 5.00.2919.3800, 56bit, complains that the hostname does not match.