[cabfpub] EV Wildcards

Jeremy Rowley jeremy.rowley at digicert.com
Thu Mar 19 23:00:09 UTC 2015

During the face-to-face, the forum discussed allowing wildcard characters in EV certificates.  The reasons for allowing it were:

1)      The lack of wildcard characters is one reason many large enterprises choose OV/DV over EV.  As entities move increasingly to cloud-based solutions and as IPv4 addresses become an increasingly limited resource, wildcards are being used in more and more places.

2)      EV domain validation is tied to the baseline requirements.  The baseline requirements, even with the proposed domain validation revisions, permit validation of the base domain of an FQDN.  Validation does not necessarily happen at each subdomain level. Therefore, putting wildcard characters doesn't increase the risk as CAs aren't looking specifically at the FQDN (except as part of the high risk check).

The reasons against allowing it were:

1)      CAs are looking at the FQDN as part of the high risk check.  (The counter to this was that high risk checks are highly language and CA dependent - I might not catch that bankofamerica.mydomain.com is a high risk domain if I'm operating outside the US)

2)      Eliminating wildcards ensures the requester knows exactly what domains are being covered by the EV cert.

There were probably more arguments for and against, but I think this gets the discussion started.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150319/c09b7240/attachment-0002.html>

More information about the Public mailing list