Regarding wildcard certs, we had the following exchange... On 3/31/10 4:15 PM, Peter Saint-Andre wrote: > On 3/18/10 1:54 PM, Michael Ströder wrote: >> Joe Orton wrote: >>> On Thu, Mar 18, 2010 at 07:07:31AM +0300, ArkanoiD wrote: >>>> Second level domain MUST NOT be wildcarded, thus *.com is invalid and >>>> should >>>> never match. (as well as "*", of course) >>> >>> I don't think it's appropriate for the draft to specify any requirement >>> beyond the "left-most label" rule, so far as wildcards go. I could >>> imagine a "*.local" or similar could be useful to allow, and *.com is >>> really little more dangerous than *.co.uk. >> >> Good point with *.co.uk but I'd draw the opposite conclusion from it: >> I'd rather like to see wildcards forbidden completely or at least strongly >> discouraged. > > I would, too. There are significant security concerns with them (related > to phishing attacks and such). > > However, some CAs will issue wildcard certs to certificate holders who > are more highly verified (e.g., Class 2 certificates requiring identity > verification of some kind). So I think this is an open issue.
This issue is still open. :) The general approach I would take is to say this: 1. If the wildcard character is included in a cert, it MUST be the entire left-most domain label (per IESG position). 2. A certification authority SHOULD NOT include the wildcard character in certificates unless it has appropriate safeguards, strong identity checking, or high trust in the recipient (e.g., "Class 2" or "Class 3" certificates -- speaking of which, are these terms defined anywhere?). 3. We need to clearly document the security problems with wildcard certs so that CAs can intelligently decide whether to issue them. Peter -- Peter Saint-Andre https://stpeter.im/
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
