On Thursday, 20 April 2017 14:03:36 UTC+1, Gervase Markham wrote: > I propose this section be removed from the document.
I am not so sure the section ought to be removed. Wildcard DV is potentially problematic. Historically we have seen problems that wouldn't have happened or would be much less serious without Wildcard DV issuance. In particular because domain "validation" for the wildcard is sketchy. While of course the Ballot 169 rules are a big improvement, I'm really not sure I'm comfortable with the implication today that well, we did one of the Ballot 169 checks for example.com, so now we'll issue for *.example.com and everything is just fine. I'm not so uncomfortable with it that I want Mozilla to try to get it stopped, but I think signalling some residual discomfort here is worthwhile until somebody has thought through a good policy, and preferably at least got the big CAs to go along with it in principle even if we don't have it in formal Mozilla policy or the BRs. _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy