[cabfpub] EV Wildcards
sleevi at google.com
Thu Mar 26 22:03:46 UTC 2015
On Thu, Mar 26, 2015 at 2:59 PM, Geoff Keating <geoffk at apple.com> wrote:
> On 26 Mar 2015, at 8:46 am, Dean Coclin <Dean_Coclin at symantec.com> wrote:
> We disagree with this line of thinking. Today someone can pay a few
> dollars and secure *.example.com, where the result is [high-risk].
> example.com with the most limited form of authentication. However a
> legitimate organization that successfully passes EV verification cannot
> order that same certificate. This makes zero sense — in fact, since the
> concern is with the exploit, this logic means that wildcards would be
> forced to the least authenticated customers. Hence we would support
> wildcards for EV certs.
> I don’t believe this is correct; a legitimate organization that passes EV
> verification can order that same certificate, and no further validation is
> required. What they can’t do is get it marked as EV.
That depends on a CA-by-CA basis.
[high-risk] is a CA-dependent determination which the BRs don't normatively
specify, and thus subject to a wide degree of interpretation regarding it.
So you could shop EV CAs until you found a CA willing to do it.
It's not even a valid PR compliant, as was suggested elsewhere. It'd be two
CA's bickering over what "high risk" means and whether "[some string]" is
high-risk or not. The process/procedures of the EV process would have been
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Public