On Thu, Apr 21, 2016 at 9:15 AM, Rick Andrews <rick_andr...@symantec.com> wrote: > On Thursday, April 21, 2016 at 3:35:55 AM UTC-7, Ryan Sleevi wrote: >> On Wednesday, April 20, 2016 at 5:53:28 PM UTC-7, Matt Palmer wrote: >> > It seems fairly dysfunctional if a single member of the CA/B Forum can >> > prevent a ballot from going ahead. >> >> To be clear: That is not the same as what I said. No single member can >> prevent a ballot going forward - but it can be enough to discourage someone >> from proposing/progressing on a ballot due to not feeling strongly enough. >> >> You can see an original proposal raised on >> https://cabforum.org/pipermail/public/2016-March/006933.html (which I >> referred to earlier). There was interested in proposing a ballot, but that >> interest waned with Symantec's objections. > > I wouldn't say I had objections; I merely pointed out that the BRs, as > written, prohibit a type of wildcard that Microsoft officially allows in TLS > certificates (https://support.microsoft.com/en-us/kb/258858), specifically, > w*.example.com and ww*.example.com Ideally, CAs and/or Microsoft would have > noticed that long ago and brought it up to be resolved before it was encoded > in the BRs. So I admit that we were negligent in not raising the issue > sooner, but I won't take full blame for it, because other CAs also issued > such certificates and Microsoft could have disclosed the conflict. Microsoft > has now expressed their opinion that they need to allow them > (https://cabforum.org/pipermail/public/2016-April/007335.html).
In the context of Mozilla, I don't think there is anything more specific than the BRs on wildcards. Given that it is clear that the current text can be interpreted in multiple ways, don't think that the cited certificate(s) should be at issue for enabling EV for this CA. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
