[cabfpub] EV Wildcards
jeremy.rowley at digicert.com
Fri Mar 20 06:50:49 MST 2015
It seems awfully speculative to say EV would have prevented this under the current EV requirements.
Bruce Morton <bruce.morton at entrust.com> wrote:
Here is my recollection from an event.
We were informed that a site with a certificate we issued was blacklisted. We informed the customer which had a wildcard certificate and they had a site which they did not know about. Not sure if it was an internal attack or how it was posted. The result was not that we had a bad subscriber, but we had a subscriber which was attacked, but did not know it yet.
From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Friday, March 20, 2015 9:31 AM
To: Bruce Morton
Cc: CABFPub; jeremy rowley
Subject: Re: [cabfpub] EV Wildcards
On Mar 20, 2015 6:27 AM, "Bruce Morton" <bruce.morton at entrust.com<mailto:bruce.morton at entrust.com>> wrote:
> Hi Jeremy,
> Thanks for bringing this up. Our position is that we would like EV certificates to be better than OV and DV. I think that was what we tried to do when the original specification was created.
> We believe that wildcard certificates have a higher security risk. Another example of a risk is that if a subscriber wants to protect 10 subdomains then a wildcard certificate can be used. But what if an attacker adds an 11th subdomain, then the certificate can still be used. Seems like a risk we can avoid with the current EV spec.
> As such, based on this risk and other examples which have been brought up, we would not be in favor of adding wildcard to EV.
> Thanks, Bruce.
I am having trouble understanding your attack scenario. Could you elaborate on what it means for an attacker to add a subdomain - how that might happen and what might be done by an attacker who could?
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public