[cabfpub] EV Wildcards

Gervase Markham gerv at mozilla.org
Fri Mar 20 10:21:21 UTC 2015

On 19/03/15 23:00, Jeremy Rowley wrote:
> The reasons against allowing it were:
> 1)      CAs are looking at the FQDN as part of the high risk check. 
> (The counter to this was that high risk checks are highly language and
> CA dependent – I might not catch that bankofamerica.mydomain.com is a
> high risk domain if I’m operating outside the US)
> 2)      Eliminating wildcards ensures the requester knows exactly what
> domains are being covered by the EV cert.

3) The purpose of EV is to place the identity of the website operator in
the certificate, so that users know who it is they are dealing with when
they interact with a site. If e.g. Google buy an EV cert for
*.appspot.com to give EV to all their users, then it would be their
information inside the cert, not the operator of foo.appspot.com or
bar.appspot.com. This defeats the point of EV, rendering it effectively
the same as DV.

To look at it another way: we all know how to contact Google, and that
they are a legitimate business. If mywebshop.appspot.com has an EV cert,
what I want to know is who is running that business, and how I contact
_them_ (or what info I can give to the police). Contact info for Google
is not very useful in that circumstance!


More information about the Public mailing list