[cabfpub] EV Wildcards

Bruce Morton bruce.morton at entrust.com
Fri Mar 20 06:27:07 MST 2015 

Hi Jeremy,

Thanks for bringing this up. Our position is that we would like EV certificates to be better than OV and DV. I think that was what we tried to do when the original specification was created.

We believe that wildcard certificates have a higher security risk. Another example of a risk is that if a subscriber wants to protect 10 subdomains then a wildcard certificate can be used. But what if an attacker adds an 11th subdomain, then the certificate can still be used. Seems like a risk we can avoid with the current EV spec.

As such, based on this risk and other examples which have been brought up, we would not be in favor of adding wildcard to EV.

Thanks, Bruce.

From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Thursday, March 19, 2015 7:00 PM
To: public at cabforum.org
Subject: [cabfpub] EV Wildcards

During the face-to-face, the forum discussed allowing wildcard characters in EV certificates.  The reasons for allowing it were:

1)      The lack of wildcard characters is one reason many large enterprises choose OV/DV over EV.  As entities move increasingly to cloud-based solutions and as IPv4 addresses become an increasingly limited resource, wildcards are being used in more and more places.

2)      EV domain validation is tied to the baseline requirements.  The baseline requirements, even with the proposed domain validation revisions, permit validation of the base domain of an FQDN.  Validation does not necessarily happen at each subdomain level. Therefore, putting wildcard characters doesn't increase the risk as CAs aren't looking specifically at the FQDN (except as part of the high risk check).

The reasons against allowing it were:

1)      CAs are looking at the FQDN as part of the high risk check.  (The counter to this was that high risk checks are highly language and CA dependent - I might not catch that bankofamerica.mydomain.com is a high risk domain if I'm operating outside the US)

2)      Eliminating wildcards ensures the requester knows exactly what domains are being covered by the EV cert.

There were probably more arguments for and against, but I think this gets the discussion started.

Jeremy



-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150320/1b500b2b/attachment.html

More information about the Public mailing list