[cabfpub] Clarifying allowed wildcard in BR

Jeremy Rowley jeremy.rowley at digicert.com
Tue Mar 8 17:25:24 UTC 2016

You can verify fo*.example.com by verifying example.com using any of the methods specified in the BRs.


From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Tuesday, March 8, 2016 9:52 AM
To: Jeremy Rowley
Cc: Stephen Davidson; public at cabforum.org
Subject: Re: [cabfpub] Clarifying allowed wildcard in BR




On Tue, Mar 8, 2016 at 8:30 AM, Jeremy Rowley <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com> > wrote:

I agree it should be clarified, but I think we should add the text to section and state that a wildcard cert is any certificate containing a wildcard character in a Subject Fully-Qualified Domain Name contained in a Certificate. Plus, we have something in called a Wildcard FQDN that was never defined.


If we amend the definition as you suggested, fo*.example.com <http://example.com>  would no longer be considered a wildcard certificate. Rather than prohibit issuance, the change would exempt fo*.example.com <http://example.com>  from the wildcard rules in the BRs and make it a normal string (because it doesn’t meet the wildcard definition). To make it simple, I suggest:


I disagree with this possible interpretation being permissible, because you cannot potentially validate that fo*.example.com <http://example.com>  is valid. For example, it does not conform to DNS hostname rules.


That said, I agree that there's the potential to be incorrectly interpreted, and your rewording is even more precise/clear :)



Revise the definition of a wildcard certificate:

Wildcard Certificate: A Certificate containing an asterisk (*) in a Subject Fully‐Qualified Domain Name contained in the Certificate.


Revise as follows:

Contents: This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing the Fully‐Qualified Domain Name or an iPAddress containing the IP address of a server. The CA MUST confirm that the Applicant controls the Fully‐Qualified Domain Name or IP address or has been granted the right to use it by the Domain Name Registrant or IP address assignee, as appropriate. A dNSName entry MAY contain a wildcard character provided that  the wildcard character constitutes the entire left most label of the FQDN and only a single wildcard character is used in each FQDN.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160308/caa3280e/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4964 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160308/caa3280e/attachment-0001.p7s>

More information about the Public mailing list