> Note that at least two technology communities have forbidden wildcard
> certificates:
>
> 1. RFC 5992 forbids wildcard certificates in the SIP community.
>
> 2. The CA/Browser Forum doesn't allow issuance of wildcard certificates
> under its "Extended Valuation Certificates" profile.
>
> So there is some precedent for forbidding wildcard certificates. Is that
> a best current practice? Should this I-D state that wildcard
> certificates (of whatever variety) are NOT RECOMMENDED?
I'm thinking that the latter is the way to go wrt wildcards. RFC2119 sez..
4. SHOULD NOT This phrase, or the phrase "NOT RECOMMENDED" mean that
there may exist valid reasons in particular circumstances when the
particular behavior is acceptable or even useful, but the full
implications should be understood and the case carefully weighed
before implementing any behavior described with this label.
..which certainly sounds reasonable for this situation.
Our working copy of -tls-server-id-check (which are trying to pub by end of
this week) has further clarifications wrt the spec's not outright forbidding
current practice and various other current specifications, thus present
wildcard use does not necessarily conflict with such a "NOT RECOMMENDED"
stance. Plus such a stance aligns better with the EV Guidelines, RFC5992, and
perhaps other specs going forward.
=JeffH
_______________________________________________
certid mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/certid
