[cabfpub] EV Wildcards
Ryan Sleevi
sleevi at google.com
Fri Mar 20 06:30:35 MST 2015
On Mar 20, 2015 6:27 AM, "Bruce Morton" <bruce.morton at entrust.com> wrote:
>
> Hi Jeremy,
>
>
>
> Thanks for bringing this up. Our position is that we would like EV
certificates to be better than OV and DV. I think that was what we tried to
do when the original specification was created.
>
>
>
> We believe that wildcard certificates have a higher security risk.
Another example of a risk is that if a subscriber wants to protect 10
subdomains then a wildcard certificate can be used. But what if an attacker
adds an 11th subdomain, then the certificate can still be used. Seems like
a risk we can avoid with the current EV spec.
>
>
>
> As such, based on this risk and other examples which have been brought
up, we would not be in favor of adding wildcard to EV.
>
>
>
> Thanks, Bruce.
Hi Bruce,
I am having trouble understanding your attack scenario. Could you elaborate
on what it means for an attacker to add a subdomain - how that might happen
and what might be done by an attacker who could?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150320/8fa76a6d/attachment.html
More information about the Public
mailing list