On Sep 15, 2010, at 6:08 PM, Martin Rex wrote: >> -- Page 19, sec 4.4.3, last graf: >> A specification that references the rules defined in this document >> can specify that the wildcard character is not allowed in >> certificates used by the relevant application protocol or community >> of interest. > > To me this sounds awkward. It implies that either the CA has a flawed CPS > can not appropriately deal with wildcard reference identifiers in certs, > or is in general not trustworthy or that the wildcard-scheme too dangerous > (=too difficult to handle safely) for server admins.
<rant> I believe wildcards are a misfeature, because a wildcard cert doesn't identify the server well enough that it should be trusted. I believe that "Best Practice" is to never use the feature, and for clients to raise flags if presented with it. Of course "Current" practice is to make maximal use of the feature because: 1) nobody understands how to make the names match in real deployments. 2) the CA's pricing model makes it cheaper to buy a wildcard cert than the full collection of multiple-alias certs you really need. </rant> Getting back to the point: I think it's perfectly appropriate for a Practice document to restrict when and how much you use a Standard feature. ------------------------------------------------------ The opinions expressed in this message are mine, not those of Caltech, JPL, NASA, or the US Government. [email protected], or [email protected] _______________________________________________ certid mailing list [email protected] https://www.ietf.org/mailman/listinfo/certid
