[cabfpub] EV Wildcards

Jeremy Rowley jeremy.rowley at digicert.com
Fri Mar 20 07:14:28 MST 2015 

My point is the security benefits from having different validity periods is fictional. The same ease of use arguments for keeping three year certs apply equally in favor extending ev to three years.


Bruce Morton <bruce.morton at entrust.com> wrote:

My main point is that adding wildcard will provide same-ness with OV/DV without increasing security. This may appear to be a change for marketing purposes and not for security issues. I think that it is hard to increase security, so we need to be careful if we are planning to reduce it.

Bruce.

From: Jeremy Rowley [mailto:jeremy.rowley at digicert.com]
Sent: Friday, March 20, 2015 9:51 AM
To: Bruce Morton
Cc: Ryan Sleevi; CABFPub
Subject: Re: [cabfpub] EV Wildcards

It seems awfully speculative to say EV would have prevented this under the current EV requirements.


Bruce Morton <bruce.morton at entrust.com<mailto:bruce.morton at entrust.com>> wrote:
Here is my recollection from an event.

We were informed that a site with a certificate we issued was blacklisted. We informed the customer which had a wildcard certificate and they had a site which they did not know about. Not sure if it was an internal attack or how it was posted. The result was not that we had a bad subscriber, but we had a subscriber which was attacked, but did not know it yet.

Bruce.

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Friday, March 20, 2015 9:31 AM
To: Bruce Morton
Cc: CABFPub; jeremy rowley
Subject: Re: [cabfpub] EV Wildcards


On Mar 20, 2015 6:27 AM, "Bruce Morton" <bruce.morton at entrust.com<mailto:bruce.morton at entrust.com>> wrote:
>
> Hi Jeremy,
>
>
>
> Thanks for bringing this up. Our position is that we would like EV certificates to be better than OV and DV. I think that was what we tried to do when the original specification was created.
>
>
>
> We believe that wildcard certificates have a higher security risk. Another example of a risk is that if a subscriber wants to protect 10 subdomains then a wildcard certificate can be used. But what if an attacker adds an 11th subdomain, then the certificate can still be used. Seems like a risk we can avoid with the current EV spec.
>
>
>
> As such, based on this risk and other examples which have been brought up, we would not be in favor of adding wildcard to EV.
>
>
>
> Thanks, Bruce.

Hi Bruce,

I am having trouble understanding your attack scenario. Could you elaborate on what it means for an attacker to add a subdomain - how that might happen and what might be done by an attacker who could?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://cabforum.org/pipermail/public/attachments/20150320/15c8ad80/attachment.html

More information about the Public mailing list