[cabfpub] EV Wildcards

Rob Stradling rob.stradling at comodo.com
Fri Mar 20 21:18:14 UTC 2015


Gerv, if you're opposed to the idea of EV wildcards, does this mean that 
Mozilla will go ahead and implement...

https://bugzilla.mozilla.org/show_bug.cgi?id=921127

...even if a ballot to permit EV wildcards gets passed?

On 20/03/15 10:21, Gervase Markham wrote:
> On 19/03/15 23:00, Jeremy Rowley wrote:
>> The reasons against allowing it were:
>>
>> 1)      CAs are looking at the FQDN as part of the high risk check.
>> (The counter to this was that high risk checks are highly language and
>> CA dependent – I might not catch that bankofamerica.mydomain.com is a
>> high risk domain if I’m operating outside the US)
>>
>> 2)      Eliminating wildcards ensures the requester knows exactly what
>> domains are being covered by the EV cert.
>
> 3) The purpose of EV is to place the identity of the website operator in
> the certificate, so that users know who it is they are dealing with when
> they interact with a site. If e.g. Google buy an EV cert for
> *.appspot.com to give EV to all their users, then it would be their
> information inside the cert, not the operator of foo.appspot.com or
> bar.appspot.com. This defeats the point of EV, rendering it effectively
> the same as DV.
>
> To look at it another way: we all know how to contact Google, and that
> they are a legitimate business. If mywebshop.appspot.com has an EV cert,
> what I want to know is who is running that business, and how I contact
> _them_ (or what info I can give to the police). Contact info for Google
> is not very useful in that circumstance!
>
> Gerv

-- 
Rob Stradling
Senior Research & Development Scientist
COMODO - Creating Trust Online



More information about the Public mailing list