On 10/12/10 5:51 PM, Matt McCutchen wrote: > On Wed, 2010-10-13 at 01:34 +0200, Martin Rex wrote: >> I consider the conservative approach of MSIE/SChannel and Firefox to >> allow a tail wildcard on the leftmost DNS label, in addition to a >> full wildcard, sensitive risk management combined with minimal complexity. > > As I said before, I don't think this "risk management" argument is real. > CAs are responsible for not giving an entity a certificate that matches > names the entity does not own. Why should we believe they are any more > likely to mess up via wildcards than, e.g., by setting the basic > constraint "CA: true"?
Matt, what conclusion do you draw from your statement? IMHO it might lead to the conclusion that it doesn't matter what we put in the left-most label -- or even the conclusion that we don't need to restrict the location of the wildcard (e.g., foo.*.example.com or even *.*.example.com is fine) -- as long as the CA issues a certificate that matches a name the entity owns. Peter -- Peter Saint-Andre https://stpeter.im/ _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
