[cabfpub] EV Wildcards

[Jeremy Rowley]

It seems awfully speculative to say EV would have prevented this under the current EV requirements.


Bruce Morton <bruce.morton at entrust.com> wrote:

Here is my recollection from an event.

We were informed that a site with a certificate we issued was blacklisted. We informed the customer which had a wildcard certificate and they had a site which they did not know about. Not sure if it was an internal attack or how it was posted. The result was not that we had a bad subscriber, but we had a subscriber which was attacked, but did not know it yet.

Bruce.

From: Ryan Sleevi [mailto:sleevi at google.com]
Sent: Friday, March 20, 2015 9:31 AM
To: Bruce Morton
Cc: CABFPub; jeremy rowley
Subject: Re: [cabfpub] EV Wildcards


On Mar 20, 2015 6:27 AM, "Bruce Morton" <bruce.morton at entrust.com<mailto:bruce.morton at entrust.com>> wrote:
>
> Hi Jeremy,
>
>
>
> Thanks for bringing this up. Our position is that we would like EV certificates to be better than OV and DV. I think that was what we tried to do when the original specification was created.
>
>
>
> We believe that wildcard certificates have a higher security risk. Another example of a risk is that if a subscriber wants to protect 10 subdomains then a wildcard certificate can be used. But what if an attacker adds an 11th subdomain, then the certificate can still be used. Seems like a risk we can avoid with the current EV spec.
>
>
>
> As such, based on this risk and other examples which have been brought up, we would not be in favor of adding wildcard to EV.
>
>
>
> Thanks, Bruce.

Hi Bruce,

I am having trouble understanding your attack scenario. Could you elaborate on what it means for an attacker to add a subdomain - how that might happen and what might be done by an attacker who could?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150320/7338091f/attachment-0003.html>