Matt McCutchen wrote: > > On Wed, 2010-10-13 at 01:34 +0200, Martin Rex wrote: > > I consider the conservative approach of MSIE/SChannel and Firefox to > > allow a tail wildcard on the leftmost DNS label, in addition to a > > full wildcard, sensitive risk management combined with minimal complexity. > > As I said before, I don't think this "risk management" argument is real.
The rist management argument is VERY real. Recall the numbers: : : http://blog.johnath.com/2009/01/21/ssl-information-wants-to-be-free/ : : - 382860 total sites (hostnames) returned a cert : - 94438 of total sites used a wildcard cert (24%) : - 5% of total sites use the wildcard cert with CN=*.blogger.com : ... other blogging/mass-hosting sites similarly high usage : : Only a handful (5) use the "f*.example.com" form; all those were certs : issued by the GoDaddy and starfieldtech.com CAs. Full wildcard certs are dangerous, because they will match any host in a domain (which makes them a much more interesting target for credential-stealing). I assume that a non-negligible of those servers that are currently using full wildcards could be using tail-match wildcards instead -- something which could reduce the risk for some of the other servers in a domain. The reason why tail-wildcards are rarely used is probably not that server operators do not like them or browsers would not support them, but that there are currently not enough CAs offering them. Now instead of killing something which would help the risk managment of server operaters, server-id-check should describe tail-wildcards on the leftmost DNS label as an alternative to full wildcards as a MAY. -Martin _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
