On 12-Feb-07, at 10:33 PM, Chuck Wade wrote: > What is the relevance of all of this to the WSC group? Mostly it is > a matter of interpreting how any of this might be portrayed to the > user of a browser that has surfed to a Web site that uses a > wildcard cert. In almost all cases, the user never needs to know if > the site's cert contains a wildcard CN or not. There have been some > arguments in the past that wildcard certs might not be as secure as > certs containing fully qualified domain names. However, these > concerns are secondary, or even tertiary. What does matter is that > the user should not be confronted with decisions about whether or > not to accept a Web session based on the use of a wildcard cert. I would agree. It can be part of some deeper security context / signals that get exposed, but I don't see any need for it on the front-end. As I understand it, though, wildcard certs are often considered by the security community to be on the same level as self- signed or "internal use" certs. Do we know of any CAs that issue them? > There is one other issue that may be relevant to this group, and > that is whether or not EV certs will be allowed to have wildcarded > CNs? I'll have to defer to others on this list for clarification of > this point as well as elucidation of the potential impact on > browsers and user interfaces. Not according to the most recent draft of the EV Certificate Guidelines (Draft 11): D.6.(a).(2).: "Wildcard certificates are not allowed for EV certificates." cheers, mikeReceived on Tuesday, 13 February 2007 05:44:42 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:45 GMT