On 11/09/2011 10:20 AM, Phillip Hallam-Baker wrote: > I am not sure that owning example.com should allow someone to establish a > prohibition issue of certs to example.com.**.com.
It's not clear to me who you think suggested this; i certainly didn't,
and i think it would be a terrible idea.
My use of this "prefix-style" approach to the sAN was as an attempt to
scatter some chaff to distract from the public/global name "hidden" in
the sAN list.
My concern is that the CAs in question appear to be signing certificates
for names that do not have any domain suffix at all, or have a suffix
(like .local) known to be used in a colliding fashion by many people.
I'm baffled by the idea that any CA would think it reasonable to sign a
.local name for a certificate of any duration, let alone a 5 year duration.
--dkg
signature.asc
Description: OpenPGP digital signature
