[cabfpub] EV Wildcards

Eddy Nigg eddy_nigg at startcom.org
Thu Mar 19 23:20:50 UTC 2015

Thanks again Jeremy!

I would like to state the following fact as food for thought on this 

Today one can secure a (main) site with an EV certificate and have all 
content of that site including frames and iframes secured with a regular 
SSL certificate including wild cards. Browsers have always allowed this 
with the notable exception of Opera that had at some point a 
configuration setting for an "All EV" requirement. So if you are on an 
EV site, this doesn't mean that your connection is really secured with 
EV - a lot of information can be still leaked to other parties that have 
not undergone an extended validation and that's usually not what you 
want (but you don't know usually).

If we consider this fact, I can't see why EV shouldn't be wild card 
enabled. Or to take it a step further, why should wild cards be possible 
with some weak domain control validation only? It's widely known that 
such wild card DVs can be easily abused.

On the other hand, EV has undergone a serious verification and the use 
of an EV certificates for malicious purpose by the certificate holder is 
almost zero. Except if it loses the key or something, but that's an 
entirely different story.

On 03/20/2015 01:00 AM, Jeremy Rowley wrote:
> During the face-to-face, the forum discussed allowing wildcard 
> characters in EV certificates. The reasons for allowing it were:
> 1)The lack of wildcard characters is one reason many large enterprises 
> choose OV/DV over EV.  As entities move increasingly to cloud-based 
> solutions and as IPv4 addresses become an increasingly limited 
> resource, wildcards are being used in more and more places.
> 2)EV domain validation is tied to the baseline requirements.  The 
> baseline requirements, even with the proposed domain validation 
> revisions, permit validation of the base domain of an FQDN.  
> Validation does not necessarily happen at each subdomain level. 
> Therefore, putting wildcard characters doesn't increase the risk as 
> CAs aren't looking specifically at the FQDN (except as part of the 
> high risk check).
> The reasons against allowing it were:
> 1)CAs are looking at the FQDN as part of the high risk check.  (The 
> counter to this was that high risk checks are highly language and CA 
> dependent -- I might not catch that bankofamerica.mydomain.com is a 
> high risk domain if I'm operating outside the US)
> 2)Eliminating wildcards ensures the requester knows exactly what 
> domains are being covered by the EV cert.
> There were probably more arguments for and against, but I think this 
> gets the discussion started.
> Jeremy
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public

Signer: 	Eddy Nigg, COO/CTO
	StartCom Ltd. <http://www.startcom.org>
XMPP: 	startcom at startcom.org <xmpp:startcom at startcom.org>
Blog: 	Join the Revolution! <http://blog.startcom.org>
Twitter: 	Follow Me <http://twitter.com/eddy_nigg>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150320/0b138c96/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4313 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150320/0b138c96/attachment-0001.p7s>

More information about the Public mailing list