[cabfpub] Clarifying allowed wildcard in BR

Ryan Sleevi sleevi at google.com
Tue Mar 8 14:53:24 UTC 2016 

+1 - That's long been the interpretation for which we expected CAs to
follow, and were surprised and dismayed there was any confusion.

On Tue, Mar 8, 2016 at 6:20 AM, Adriano Santoni <
adriano.santoni at staff.aruba.it> wrote:

> +1
> I would endorse.
>
> Il 08/03/2016 15:11, Stephen Davidson ha scritto:
>
> Currently the BR address wildcard certificates as follows:
>
>
>
> Wildcard Certificate: A Certificate containing an asterisk (*) in the
> left‐most position of any of the Subject Fully‐Qualified Domain Names
> contained in the Certificate.
>
>
>
> The browsers implement this to mean “the asterisk must ONLY be in the
> left‐most position and must constitute the ENTIRE label”.
>
>
>
> That being said, there is some confusion among SSL buyers about what is
> allowable.  This probably stems from RFC 6125 section 7.2 which first
> argues against wildcards entirely, then recommends the use of the wildcard
> character alone in the left-most label, but also acknowledges the other
> historical wildcard variants found in other RFCs (such as HTTPS, LDAP,
> IMAP) including:
>
>
>
> fo*.example.com
>
> *.*.example.com
>
> www.*.example.com
>
>
>
> crt.sh/certlint (thanks Rob and Peter) finds a handful of examples of
> these variants.  For the sake of clarity, I’d like to propose a simple
> amendment to the wildcard definition in the BR to say:
>
>
>
> Wildcard Certificate: A Certificate containing an asterisk (*) *only* in
> the left‐most *label, and constituting that entire label,* of any of the
> Subject Fully‐Qualified Domain Names contained in the Certificate.
>
>
>
> Thoughts?  Anyone willing to join in proposing a ballot?
>
>
>
> Regards, Stephen
>
> QuoVadis
>
>
> _______________________________________________
> Public mailing listPublic at cabforum.orghttps://cabforum.org/mailman/listinfo/public
>
>
> --
>
> Cordiali saluti,
>
> Adriano Santoni
> ACTALIS S.p.A.
> (Aruba Group)
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160308/27f0bcb3/attachment-0003.html>

More information about the Public mailing list