[cabfpub] EV Wildcards

Ryan Sleevi sleevi at google.com
Fri Mar 20 13:26:12 UTC 2015

On Mar 20, 2015 4:04 AM, "Gervase Markham" <gerv at mozilla.org> wrote:

> 3) The purpose of EV is to place the identity of the website operator in
> the certificate, so that users know who it is they are dealing with when
> they interact with a site. If e.g. Google buy an EV cert for
> *.appspot.com to give EV to all their users, then it would be their
> information inside the cert, not the operator of foo.appspot.com or
> bar.appspot.com. This defeats the point of EV, rendering it effectively
> the same as DV.
> To look at it another way: we all know how to contact Google, and that
> they are a legitimate business. If mywebshop.appspot.com has an EV cert,
> what I want to know is who is running that business, and how I contact
> _them_ (or what info I can give to the police). Contact info for Google
> is not very useful in that circumstance!
> Gerv

Of course, as pointed out by a number of people, nothing in the EVGs today
actually ensures what you stated in 3 happens.

That is, in this hypothetical world, Google could go out and get EV certs
for foo.appspot.com, bar.appspot.com, and mywebshop.appspot.com, all of
which would have the exact same information in every field of the
certificate, all of which would point to Google.

Whether or not this defeats the point of EV is another matter, and is
perhaps a subjective evaluation. However, as it stands, EV has never worked
as you describe, so it is entirely consistent to allow wildcards.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150320/9e1d517c/attachment-0003.html>

More information about the Public mailing list