On Wed, 2010-10-13 at 01:34 +0200, Martin Rex wrote: > I consider the conservative approach of MSIE/SChannel and Firefox to > allow a tail wildcard on the leftmost DNS label, in addition to a > full wildcard, sensitive risk management combined with minimal complexity.
As I said before, I don't think this "risk management" argument is real. CAs are responsible for not giving an entity a certificate that matches names the entity does not own. Why should we believe they are any more likely to mess up via wildcards than, e.g., by setting the basic constraint "CA: true"? -- Matt _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
