Visiting the www.emsign.com homepage brings up a list of proposed products. Currently, in the "Types of Certificate" table halfway down the page is the following: Wildcard SSL - OV Wildcard SSL - EV UCC Wildcard SSL - DV UCC Wildcard SSL - OV UCC Wildcard SSL - EV
That's not a good sign at all, since two of those imply EV and wildcard as a single product. EV certificates cannot contain wildcards! This has always been the case so why is this company, claiming 10 years experience, making a mistake like this to propose such a product? Sam P.S. Sorry I don't contribute as much as I could, I do monitor this list and read through regularly however. Source: http://web.archive.org/web/20181011224402/http://emsign.com/ (Saved to Web Archive in case the page is changed after this is pointed out). On Thu, Oct 11, 2018 at 11:33 PM Matt Palmer via dev-security-policy < dev-security-policy@lists.mozilla.org> wrote: > On Thu, Oct 11, 2018 at 02:36:18PM -0700, Wayne Thayer via > dev-security-policy wrote: > > Nick - I expect an emSign representative to respond to all of your > > questions, but their information request indicates that they have been > > operating the Indian Government Root for more than 10 years and have > issued > > over 35 million certificates: > > https://bug1442337.bmoattachments.org/attachment.cgi?id=8955223 > > The phrasing in the paragraph (I think) you're referencing is ambiguous: > > > eMudhra has been a licensed CA under Controller of Certifying Authorities > > which operates the Indian Government Root for more than 10 years > > I'm not sure whether it's eMudhra or the "Controller of Certifying > Authorities" which has been operating the Indian Government Root for more > than 10 years. At any rate, I can't seem to find any information about > this > "Indian Government Root", how it works, what it's used for, and what its > criteria are, and so it's a bit hard to tell whether it's anything to be > particularly proud of. > > If eMudhra *have* been in the CA business for 10 years, but they still > managed to produce a CPS with the extensive list of "Bad"-grade practices > you enumerated in your opening e-mail, that's... not encouraging. > > - Matt > > _______________________________________________ > dev-security-policy mailing list > dev-security-policy@lists.mozilla.org > https://lists.mozilla.org/listinfo/dev-security-policy > _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy