[cabfpub] Clarifying allowed wildcard in BR

Richard Barnes rbarnes at mozilla.com
Tue Mar 8 16:10:52 UTC 2016 

+1

On Tue, Mar 8, 2016 at 9:53 AM, Ryan Sleevi <sleevi at google.com> wrote:

> +1 - That's long been the interpretation for which we expected CAs to
> follow, and were surprised and dismayed there was any confusion.
>
> On Tue, Mar 8, 2016 at 6:20 AM, Adriano Santoni <
> adriano.santoni at staff.aruba.it> wrote:
>
>> +1
>> I would endorse.
>>
>> Il 08/03/2016 15:11, Stephen Davidson ha scritto:
>>
>> Currently the BR address wildcard certificates as follows:
>>
>>
>>
>> Wildcard Certificate: A Certificate containing an asterisk (*) in the
>> left‐most position of any of the Subject Fully‐Qualified Domain Names
>> contained in the Certificate.
>>
>>
>>
>> The browsers implement this to mean “the asterisk must ONLY be in the
>> left‐most position and must constitute the ENTIRE label”.
>>
>>
>>
>> That being said, there is some confusion among SSL buyers about what is
>> allowable.  This probably stems from RFC 6125 section 7.2 which first
>> argues against wildcards entirely, then recommends the use of the wildcard
>> character alone in the left-most label, but also acknowledges the other
>> historical wildcard variants found in other RFCs (such as HTTPS, LDAP,
>> IMAP) including:
>>
>>
>>
>> fo*.example.com
>>
>> *.*.example.com
>>
>> www.*.example.com
>>
>>
>>
>> crt.sh/certlint (thanks Rob and Peter) finds a handful of examples of
>> these variants.  For the sake of clarity, I’d like to propose a simple
>> amendment to the wildcard definition in the BR to say:
>>
>>
>>
>> Wildcard Certificate: A Certificate containing an asterisk (*) *only* in
>> the left‐most *label, and constituting that entire label,* of any of the
>> Subject Fully‐Qualified Domain Names contained in the Certificate.
>>
>>
>>
>> Thoughts?  Anyone willing to join in proposing a ballot?
>>
>>
>>
>> Regards, Stephen
>>
>> QuoVadis
>>
>>
>> _______________________________________________
>> Public mailing listPublic at cabforum.orghttps://cabforum.org/mailman/listinfo/public
>>
>>
>> --
>>
>> Cordiali saluti,
>>
>> Adriano Santoni
>> ACTALIS S.p.A.
>> (Aruba Group)
>>
>> _______________________________________________
>> Public mailing list
>> Public at cabforum.org
>> https://cabforum.org/mailman/listinfo/public
>>
>>
>
> _______________________________________________
> Public mailing list
> Public at cabforum.org
> https://cabforum.org/mailman/listinfo/public
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160308/2f0759a6/attachment-0003.html>

More information about the Public mailing list