On Wed, Apr 26, 2017 at 5:17 PM, okaphone.elektronika--- via dev-security-policy <dev-security-policy@lists.mozilla.org> wrote: > > If this is about the possible consequences of compromise, then I'd say you > should try to adres that. But please do come up with something that still > allows for enough flexibility, so I can arrange the HTTPS everywhere you > guys (browsers that is ;-) want so much. At least while there is only a > single CA (LetsEncrypt) that offers an alternative for wildcards for a > reasonable fixed price. >
I'm not sure your concern - there's otherwise been broad support for wildcards, only concerns related to the methods used to validate them to ensure they're meaningful. > After all the internet is also about variety isn't it? Seems to me there > are not all that much CA's around... I do like the LetsEncrypt initiative > but I also do hope they will not become the only choice. :-( > > I could live with wildcards that would only work for one DNS level for > instance. Would that be an improvement? They already only work for one DNS level, as a certificate. The authorization the CA performs, however, lets them issue wildcards for any number of subordinate subdomains - but only one wildcard in each, and each certificate only covers a single hierarchy. I realize that the conversation may be complex here, but I think it might be best to simply assure you that your concerns are not misunderstood, but more importantly, they are unwarranted, because no one is discussing anything that would (negatively) impact the set of use cases you've described so far. It's probably just a misunderstanding as to what's being discussed and the subtlety of the validation points :) _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy
