[cabfpub] EV Wildcards

Gervase Markham gerv at mozilla.org
Fri Mar 20 15:16:34 UTC 2015

On 20/03/15 13:26, Ryan Sleevi wrote:
> Of course, as pointed out by a number of people, nothing in the EVGs
> today actually ensures what you stated in 3 happens.
> That is, in this hypothetical world, Google could go out and get EV
> certs for foo.appspot.com <http://foo.appspot.com>, bar.appspot.com
> <http://bar.appspot.com>, and mywebshop.appspot.com
> <http://mywebshop.appspot.com>, all of which would have the exact same
> information in every field of the certificate, all of which would point
> to Google.

That is true. However, I would hope Google and other providers would
refrain from doing that - not least because there would be no cost
advantage, but also because they understand how it's supposed to work.

It's true that the EV Guidelines assume that the person who controls the
domain will be the person running the website, and so no distinction is
made between the two identities. If we think that assumption might be
broken, perhaps we should update the guidelines so that they specify
that the applicant for an EV cert should be the entity operating the
services on the domain.


More information about the Public mailing list