[cabfpub] Use of wildcard certificates by cloud operators

Kelvin Yiu kelviny at exchange.microsoft.com
Tue May 6 15:12:36 UTC 2014

Thanks Gerv and Ryan. It sounds like we have some consensus, at least among the "browsers". 

When it comes to making this clearer in the BR, I suspect it comes down to defining whether the owner of a domain has "control" of its subdomains and how CAs can verify the control and demonstrate due diligence to auditors. 

I haven't seen any feedback from CAs yet. Is this not a big issue for CAs, or are CAs still thinking about potential impact?


-----Original Message-----
From: Gervase Markham [mailto:gerv at mozilla.org] 
Sent: Tuesday, May 6, 2014 3:01 AM
To: Kelvin Yiu; public at cabforum.org
Subject: Re: [cabfpub] Use of wildcard certificates by cloud operators

I agree with Ryan :-)

On 05/05/14 18:10, Kelvin Yiu wrote:
> 1.       Section 11.1.3 of the BR explicitly disallow wildcard
> certificates for registry controlled domains (e.g. *.com). The Mozilla 
> maintained http://publicsuffix.org is cited as an example of a public 
> suffix list where Azure, GAE, and AWS domains can be found. Does the 
> current usage of wildcard certificates by cloud operators violate the 
> BR? If so, is this intentional and what is the reason?

No. The PSL is in two sections for precisely this reason - there are privately-owned sites where an e.g. appspot.com cookie should not be allowed (allows one appspot site to perform cookie fixation attacks against another) but a *.appspot.com cert should be allowed. So we split the PSL logically into two to put sites like this in their own section.

> 2.       Section 13.1.5 of the BR explicitly require wildcard
> certificates that were “used to authenticate fraudulently misleading 
> subordinate FQDN” to be revoked within 24 hours. If the fraudulent 
> sites never had access to the private key of the wildcard certificate 
> and the cloud operator has a process to take down fraudulent sites, 
> should these wildcard certificates be required to be revoked?

Hmm. This is tricky. I suspect this situation was not considered when we wrote that. I'd lean towards No, but I'm not sure that's what the BRs say on their face, and I'd welcome more discussion.


More information about the Public mailing list