[cabfpub] EV Wildcards
sleevi at google.com
Thu Mar 26 15:09:44 MST 2015
On Thu, Mar 26, 2015 at 3:04 PM, Geoff Keating <geoffk at apple.com> wrote:
> I meant, they can order the same wildcard certificate. I’d hope there
> aren’t CAs who will allow orders for facebook.example.com even as DV.
[high risk] sort of follows the Potter-Stewart Rule , which is perhaps
one of the grand hard problems to quantify for procedures and process.
Facebook.example.com might be "high risk, won't issue" - but the BRs
certainly allow a CA to do so, perhaps under assurances that the customer
"Contractually agrees not to impersonate Facebook". As far as technical
controls go, [high risk] is for the most part meaningless as something you
can pin a hard security guarantee on, but hopefully enough of an incentive
for CAs to do some degree of due diligence.
It just doesn't make sense to use to justify an argument against wildcards,
precisely because it's a very fluid and loose definition means it's not a
firm security control. If we accent that firm security controls aren't
strictly required, and that process controls work, than process controls
against wildcards can work the same (e.g. "I'll give you a wildcard EV, but
only if you contractually agree not to impersonate Facebook")
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public