[cabfpub] Clarifying allowed wildcard in BR
Stephen Davidson
S.Davidson at quovadisglobal.com
Tue Mar 8 14:11:03 UTC 2016
Currently the BR address wildcard certificates as follows:
Wildcard Certificate: A Certificate containing an asterisk (*) in the left‐most position of any of the Subject Fully‐Qualified Domain Names contained in the Certificate.
The browsers implement this to mean “the asterisk must ONLY be in the left‐most position and must constitute the ENTIRE label”.
That being said, there is some confusion among SSL buyers about what is allowable. This probably stems from RFC 6125 section 7.2 which first argues against wildcards entirely, then recommends the use of the wildcard character alone in the left-most label, but also acknowledges the other historical wildcard variants found in other RFCs (such as HTTPS, LDAP, IMAP) including:
fo*.example.com
*.*.example.com
www.*.example.com
crt.sh/certlint (thanks Rob and Peter) finds a handful of examples of these variants. For the sake of clarity, I’d like to propose a simple amendment to the wildcard definition in the BR to say:
Wildcard Certificate: A Certificate containing an asterisk (*) only in the left‐most label, and constituting that entire label, of any of the Subject Fully‐Qualified Domain Names contained in the Certificate.
Thoughts? Anyone willing to join in proposing a ballot?
Regards, Stephen
QuoVadis
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160308/ac7d7c94/attachment-0002.html>
More information about the Public
mailing list