On 8/20/14, 2:03 PM, Peter Bowen wrote:
On Wed, Aug 20, 2014 at 1:55 PM, <[email protected]> wrote:
I've encountered a wildcard end-entity certificate on a live server that chains
directly to the root cert. There is no intermediate certificate and the root is
in the Mozilla trust store.
I assume this is a frowned upon practice that will be stopped as the BRs are
adopted and such certs expire naturally. There is no reason for such certs to
be reissued indefinitely, is there?
BR section 1: Except where explicitly stated otherwise, these
requirements apply only to relevant events that occur on or after the
Effective Date.
BR Document History: Version 1.0 of the Baseline Requirements
Adopted 22-Nov-11
Effective Date: 01-Jul-12
BR #9.2.1: Wildcard FQDNs are permitted.
BR #11.1.3: If a wildcard would fall within the label immediately to the
left of a registry-controlled† or public suffix, CAs MUST refuse
issuance unless the applicant proves its rightful control of the entire
Domain Namespace. (e.g. CAs MUST NOT issue “*.co.uk” or “*.local”, but
MAY issue “*.example.com” to Example Co.).
BR #12: "Root CA Private Keys MUST NOT be used to sign Certificates
except in the following cases:..."
I should have included the dates. Validity period is November 2010 to
2015.
The certificate was issued prior to the BR Effective Date, so the BRs
don't apply to this particular cert.
Wildcard certs that are issued today need to conform to the BRs,
including section 11.1.3 and section 12.
Beyond this one case I'm wondering if there are any survey data or anecdotes
about how common a practice this is (was?).
I don't know if anyone has studied how common it is/was to issue a
wildcard cert directly from a root.
Kathleen
_______________________________________________
dev-security-policy mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security-policy
