On 21/04/17 12:09, Nick Lamb wrote: > Of the ballot 169 methods, 3.2.2.4.7 is most obviously appropriate > for verifying that the applicant controls the entire domain and thus > *.example.com, whereas say 3.2.2.4.6 proves only that the applicant > controls a web server, it seems quite likely they have neither the > legal authority nor the practical ability to control servers with > other names in that domain. I can see arguments either way for > 3.2.2.4.4, depending on how well email happens to be administrated in > a particular organisation.
So your concern is that a subset of the 10 Blessed Methods might not be suitable for verifying the level of control necessary to safely issue a wildcard cert? If that's true, we should look at it, but I don't see how that's connected with saying or not saying on our wiki page that wildcard certs are inherently problematic. So, to analyse: you are saying that demonstrating control over http://www.example.com/ and getting a cert for *.www.example.com is shaky? Or demonstrating control of http://example.com/ and getting a cert for *.example.com? Or something else? Gerv _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
