[cabfpub] Clarifying allowed wildcard in BR

Rick Andrews Rick_Andrews at symantec.com
Tue Mar 8 17:50:31 UTC 2016

I suspect some of the confusion about wildcards is due to Microsoft’s guidance, for example, here: http://support.microsoft.com/kb/258858. Some of the affected OSes are still supported. Jody, it would be helpful if someone from Microsoft would comment on this issue. 




From: public-bounces at cabforum.org [mailto:public-bounces at cabforum.org] On Behalf Of Jeremy Rowley
Sent: Tuesday, March 08, 2016 9:25 AM
To: Ryan Sleevi <sleevi at google.com>
Cc: Stephen Davidson <S.Davidson at quovadisglobal.com>; public at cabforum.org
Subject: Re: [cabfpub] Clarifying allowed wildcard in BR


You can verify fo*.example.com by verifying example.com using any of the methods specified in the BRs.


From: Ryan Sleevi [mailto:sleevi at google.com] 
Sent: Tuesday, March 8, 2016 9:52 AM
To: Jeremy Rowley
Cc: Stephen Davidson; public at cabforum.org <mailto:public at cabforum.org> 
Subject: Re: [cabfpub] Clarifying allowed wildcard in BR




On Tue, Mar 8, 2016 at 8:30 AM, Jeremy Rowley <jeremy.rowley at digicert.com <mailto:jeremy.rowley at digicert.com> > wrote:

I agree it should be clarified, but I think we should add the text to section and state that a wildcard cert is any certificate containing a wildcard character in a Subject Fully-Qualified Domain Name contained in a Certificate. Plus, we have something in called a Wildcard FQDN that was never defined.


If we amend the definition as you suggested, fo*.example.com <http://example.com>  would no longer be considered a wildcard certificate. Rather than prohibit issuance, the change would exempt fo*.example.com <http://example.com>  from the wildcard rules in the BRs and make it a normal string (because it doesn’t meet the wildcard definition). To make it simple, I suggest:


I disagree with this possible interpretation being permissible, because you cannot potentially validate that fo*.example.com <http://example.com>  is valid. For example, it does not conform to DNS hostname rules.


That said, I agree that there's the potential to be incorrectly interpreted, and your rewording is even more precise/clear :)



Revise the definition of a wildcard certificate:

Wildcard Certificate: A Certificate containing an asterisk (*) in a Subject Fully‐Qualified Domain Name contained in the Certificate.


Revise as follows:

Contents: This extension MUST contain at least one entry. Each entry MUST be either a dNSName containing the Fully‐Qualified Domain Name or an iPAddress containing the IP address of a server. The CA MUST confirm that the Applicant controls the Fully‐Qualified Domain Name or IP address or has been granted the right to use it by the Domain Name Registrant or IP address assignee, as appropriate. A dNSName entry MAY contain a wildcard character provided that  the wildcard character constitutes the entire left most label of the FQDN and only a single wildcard character is used in each FQDN.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160308/78c935cf/attachment-0003.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 5749 bytes
Desc: not available
URL: <http://lists.cabforum.org/pipermail/public/attachments/20160308/78c935cf/attachment-0001.p7s>

More information about the Public mailing list