I think this is getting weird. At first (some other thread) it get's explained that e.g. LetsEncrypt does not do anything beyond domain validation and possibly on notification take down a few certificates of phishing site. And that was "... all OK because we want SSL to be used everywhere, and anyway domain validation means just that, nothing more..."
And now you guys are suddenly seeing problems in wild card certificates "... because it could be use for phishing..." Ehm, what? Our site (category tiny) has LetsEncrypt certificates on several domain names and a single Comodo wildcard certificate for okaphone.com,*okaphone.com. We currently have the following set of domain names in the global DNS: klant.okaphone.com munin.okaphone.com hans.okaphone.com kassa.okaphone.com ntp.okaphone.com okaphone.com stats.okaphone.com svn.okaphone.com vpn.okaphone.com webcam.okaphone.com www.okaphone.com I terminate HTTPS with Pound and distribute the traffic from there to a number of servers (I'll spare you the details ;-). This setup gives me flexibility and it changes regularly for all kinds of reasons that have to do with our business. I like it this way. Thats why I'm paying Comodo for their services. If you are going to make this kind of thing impossible then you are: 1) Frustrating me. 2) Causing Comodo to lose business, for I will have to use LetsEncrypt instead. 3) Putting all my eggs in one basket (there is currently no alternative for LetsEncrypt). 4) Not solving the problem at all, it's easy to get a certificate for a phishing domain from LetsEncrypt. 5) Trying to do something that certificates are not meant for. I don't think it is (or should be) the responsibility of CA's to verify that sites are not used for phishing. I'd say, this is not a good idea at all. :-( CU Hans _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy