[cabfpub] Clarifying allowed wildcard in BR

Ryan Sleevi sleevi at google.com
Tue Mar 8 16:51:57 UTC 2016 

On Tue, Mar 8, 2016 at 8:30 AM, Jeremy Rowley <jeremy.rowley at digicert.com>
wrote:

> I agree it should be clarified, but I think we should add the text to
> section 7.1.4.2.1 and state that a wildcard cert is any certificate
> containing a wildcard character in a Subject Fully-Qualified Domain Name
> contained in a Certificate. Plus, we have something in 7.1.4.2.1 called a
> Wildcard FQDN that was never defined.
>
>
>
> If we amend the definition as you suggested, fo*.example.com would no
> longer be considered a wildcard certificate. Rather than prohibit issuance,
> the change would exempt fo*.example.com from the wildcard rules in the
> BRs and make it a normal string (because it doesn’t meet the wildcard
> definition). To make it simple, I suggest:
>

I disagree with this possible interpretation being permissible, because you
cannot potentially validate that fo*.example.com is valid. For example, it
does not conform to DNS hostname rules.

That said, I agree that there's the potential to be incorrectly
interpreted, and your rewording is even more precise/clear :)


>
>
> Revise the definition of a wildcard certificate:
>
> Wildcard Certificate: A Certificate containing an asterisk (*) in a
> Subject Fully‐Qualified Domain Name contained in the Certificate.
>
>
>
> Revise 7.1.4.2.1 as follows:
>
> Contents: This extension MUST contain at least one entry. Each entry MUST
> be either a dNSName containing the Fully‐Qualified Domain Name or an
> iPAddress containing the IP address of a server. The CA MUST confirm that
> the Applicant controls the Fully‐Qualified Domain Name or IP address or has
> been granted the right to use it by the Domain Name Registrant or IP
> address assignee, as appropriate. *A dNSName entry MAY contain a wildcard
> character provided that  the wildcard character constitutes the entire left
> most label of the FQDN and only a single wildcard character is used in each
> FQDN.*
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160308/cf362cd7/attachment-0003.html>

More information about the Public mailing list