This strikes me as notoriously bad, although it is in accordance with the RFC. I still don't want to accept the usefulness and inherent security, so I'd like to get some expert opinions on this.
Are wildcard certficates good? secure? useful?
I think this is one of the cases where security can't be considered in isolation. It depends what risks you are trying to protect against. In a large company you might want to limit the effects of a key compromise. For example you might want to make sure that someone who steals the UK key can't masquerade as the American office.
I can't see any generalised threats that would justify withdrawing wildcard certs, but perhaps others can.
-- Pete
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]