[cabfpub] EV Wildcards
Dean_Coclin at symantec.com
Fri Mar 20 12:56:32 MST 2015
"If mywebshop.appspot.com has an EV cert, what I want to know is who is running that business, and how I contact _them_ (or what info I can give to the police). Contact info for Google is not very useful in that circumstance!"
Gerv-I feel the same way when I see a site that has an OV cert issued to Cloudflare. The website business has nothing to do with Cloudflare yet all I can see in the cert is Cloudflare's name and OU info with about 20-30 SANs for unaffiliated names. And I'm not even sure how those names were vetted. As you said in the face to face, this is not a good situation.
From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Gervase Markham
Sent: Friday, March 20, 2015 6:21 AM
To: Jeremy Rowley; public at cabforum.org
Subject: Re: [cabfpub] EV Wildcards
On 19/03/15 23:00, Jeremy Rowley wrote:
> The reasons against allowing it were:
> 1) CAs are looking at the FQDN as part of the high risk check.
> (The counter to this was that high risk checks are highly language and
> CA dependent – I might not catch that bankofamerica.mydomain.com is a
> high risk domain if I’m operating outside the US)
> 2) Eliminating wildcards ensures the requester knows exactly what
> domains are being covered by the EV cert.
3) The purpose of EV is to place the identity of the website operator in the certificate, so that users know who it is they are dealing with when they interact with a site. If e.g. Google buy an EV cert for *.appspot.com to give EV to all their users, then it would be their information inside the cert, not the operator of foo.appspot.com or bar.appspot.com. This defeats the point of EV, rendering it effectively the same as DV.
To look at it another way: we all know how to contact Google, and that they are a legitimate business. If mywebshop.appspot.com has an EV cert, what I want to know is who is running that business, and how I contact _them_ (or what info I can give to the police). Contact info for Google is not very useful in that circumstance!
Public mailing list
Public at cabforum.org
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 6130 bytes
Desc: not available
Url : https://cabforum.org/pipermail/public/attachments/20150320/30988a3c/attachment.bin
More information about the Public