There are EV certificates as well, for which wildcards are strongly disallowed.
On Fri, Apr 09, 2010 at 10:55:34AM -0600, Peter Saint-Andre wrote: > Regarding wildcard certs, we had the following exchange... > > On 3/31/10 4:15 PM, Peter Saint-Andre wrote: > > On 3/18/10 1:54 PM, Michael Str??der wrote: > >> Joe Orton wrote: > >>> On Thu, Mar 18, 2010 at 07:07:31AM +0300, ArkanoiD wrote: > >>>> Second level domain MUST NOT be wildcarded, thus *.com is invalid and > >>>> should > >>>> never match. (as well as "*", of course) > >>> > >>> I don't think it's appropriate for the draft to specify any requirement > >>> beyond the "left-most label" rule, so far as wildcards go. I could > >>> imagine a "*.local" or similar could be useful to allow, and *.com is > >>> really little more dangerous than *.co.uk. > >> > >> Good point with *.co.uk but I'd draw the opposite conclusion from it: > >> I'd rather like to see wildcards forbidden completely or at least strongly > >> discouraged. > > > > I would, too. There are significant security concerns with them (related > > to phishing attacks and such). > > > > However, some CAs will issue wildcard certs to certificate holders who > > are more highly verified (e.g., Class 2 certificates requiring identity > > verification of some kind). So I think this is an open issue. > > This issue is still open. :) > > The general approach I would take is to say this: > > 1. If the wildcard character is included in a cert, it MUST be the > entire left-most domain label (per IESG position). > > 2. A certification authority SHOULD NOT include the wildcard character > in certificates unless it has appropriate safeguards, strong identity > checking, or high trust in the recipient (e.g., "Class 2" or "Class 3" > certificates -- speaking of which, are these terms defined anywhere?). > > 3. We need to clearly document the security problems with wildcard certs > so that CAs can intelligently decide whether to issue them. > > Peter > > -- > Peter Saint-Andre > https://stpeter.im/ > > > > > email protected and scanned by AdvascanTM - keeping email useful - > www.advascan.com > > > _______________________________________________ > certid mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/certid _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
