[cabfpub] EV Wildcards

Ryan Sleevi sleevi at google.com
Thu Mar 26 22:03:46 UTC 2015

On Thu, Mar 26, 2015 at 2:59 PM, Geoff Keating <geoffk at apple.com> wrote:

> On 26 Mar 2015, at 8:46 am, Dean Coclin <Dean_Coclin at symantec.com> wrote:
> We disagree with this line of thinking. Today someone can pay a few
> dollars and secure *.example.com, where the result is [high-risk].
> example.com with the most limited form of authentication. However a
> legitimate organization that successfully passes EV verification cannot
> order that same certificate. This makes zero sense — in fact, since the
> concern is with the exploit, this logic means that wildcards would be
> forced to the least authenticated customers.  Hence we would support
> wildcards for EV certs.
> I don’t believe this is correct; a legitimate organization that passes EV
> verification can order that same certificate, and no further validation is
> required.  What they can’t do is get it marked as EV.

That depends on a CA-by-CA basis.

[high-risk] is a CA-dependent determination which the BRs don't normatively
specify, and thus subject to a wide degree of interpretation regarding it.
So you could shop EV CAs until you found a CA willing to do it.

It's not even a valid PR compliant, as was suggested elsewhere. It'd be two
CA's bickering over what "high risk" means and whether "[some string]" is
high-risk or not. The process/procedures of the EV process would have been
fully followed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150326/b8f8f8d9/attachment-0003.html>

More information about the Public mailing list