On Fri, 07 Aug 2009 21:28:58 -0400 Jorey Bump <l...@joreybump.com> wrote:
> > I understand that wildcard certs can be > > considered a security risk, but is the risk really much greater if > > it includes a longer hostname? > > *.com Here's a better example. I might be willing to have my server say, "Yes, that's me" to this name: southamericadip.asciiking.com But not this one: guns.southamericadip.asciiking.com If I make a delegation in DNS to the person running South America Diplomacy, however, I don't have any further control over downstream consumers of the subdomain. Someone who behaves perfectly well on my server might be an exceedingly poor judge of character. Without limiting the depth of the certificate, I would have no way to accept a TLS connection as the first without being open to the second. I love waking up to a sub peona, don't you? :-) Chris Babcock
signature.asc
Description: PGP signature