On Fri, 07 Aug 2009 21:28:58 -0400 Jorey Bump <l...@joreybump.com> wrote:
> > I understand that wildcard certs can be
> > considered a security risk, but is the risk really much greater if
> > it includes a longer hostname?
>
> *.com
Here's a better example. I might be willing to have my server say,
"Yes, that's me" to this name:
southamericadip.asciiking.com
But not this one:
guns.southamericadip.asciiking.com
If I make a delegation in DNS to the person running South America
Diplomacy, however, I don't have any further control over downstream
consumers of the subdomain. Someone who behaves perfectly well on my
server might be an exceedingly poor judge of character. Without
limiting the depth of the certificate, I would have no way to accept a
TLS connection as the first without being open to the second.
I love waking up to a sub peona, don't you? :-)
Chris Babcock
signature.asc
Description: PGP signature
