[cabfpub] EV Wildcards
Ryan Sleevi
sleevi at google.com
Thu Mar 26 22:03:46 UTC 2015
On Thu, Mar 26, 2015 at 2:59 PM, Geoff Keating <geoffk at apple.com> wrote:
>
> On 26 Mar 2015, at 8:46 am, Dean Coclin <Dean_Coclin at symantec.com> wrote:
>
> We disagree with this line of thinking. Today someone can pay a few
> dollars and secure *.example.com, where the result is [high-risk].
> example.com with the most limited form of authentication. However a
> legitimate organization that successfully passes EV verification cannot
> order that same certificate. This makes zero sense — in fact, since the
> concern is with the exploit, this logic means that wildcards would be
> forced to the least authenticated customers. Hence we would support
> wildcards for EV certs.
>
>
>
> I don’t believe this is correct; a legitimate organization that passes EV
> verification can order that same certificate, and no further validation is
> required. What they can’t do is get it marked as EV.
>
That depends on a CA-by-CA basis.
[high-risk] is a CA-dependent determination which the BRs don't normatively
specify, and thus subject to a wide degree of interpretation regarding it.
So you could shop EV CAs until you found a CA willing to do it.
It's not even a valid PR compliant, as was suggested elsewhere. It'd be two
CA's bickering over what "high risk" means and whether "[some string]" is
high-risk or not. The process/procedures of the EV process would have been
fully followed.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20150326/b8f8f8d9/attachment-0003.html>
More information about the Public
mailing list