[cabfpub] Wildcard language in BRs

Peter Bowen pzb at amzn.com
Thu Apr 21 22:17:01 UTC 2016

On Apr 21, 2016, at 1:31 PM, Rick Andrews <rick_andrews at symantec.com> wrote:
> The BRs define Wildcard Certificate:
> "Wildcard Certificate: A Certificate containing an asterisk (*) in the left
> ‐most position of any of the Subject Fully‐Qualified Domain Names
> contained in the Certificate."
> Is "left-most position" technically defined? Does that mean the left-most
> character or left-most label? A name like "ww*.example.com" has an asterisk
> in the left-most label. So if position=label, that name is permitted.
> This is why we agree with Jeremy that the current language is ambiguous and
> doesn't clearly exclude wildcards like "ww*.example.com".


In https://cabforum.org/pipermail/public/2016-April/007210.html I proposed new language to replace the ambiguous language.

It would define a new term “Wildcard Domain Name” with the definition of "A Domain Name formed by prepending '*.' to a FQDN” and then use this in the Wildcard Certificate definition: “A Certificate containing a Wildcard Domain Name in any of the Subject Alternative Name dNSNames contained in the Certificate”.

Then in, make it read:

Before issuing a certificate with a Wildcard Domain Name in a CN or subjectAltName of type DNS‐ID, the CA MUST establish and follow a documented procedure† that determines if the FQDN portion of the Wildcard Domain Name is a “registry‐controlled” label or “public suffix” (e.g. “*.com”, “*.co.uk”, see RFC 6454 Section 8.2 for further explanation). 
If so, CAs MUST refuse issuance unless the applicant proves its rightful control of the entire Domain Namespace. (e.g. CAs MUST NOT issue “*.co.uk” or “*.local”, but MAY issue “*.example” if the .example gTLD includes Specification 13 in its registry agreement). 

Do you agree that this would make the language unambiguous?


More information about the Public mailing list