On Thursday, 21 April 2016 17:15:43 UTC+1, Rick Andrews wrote: Microsoft has now expressed their opinion that they need to allow them (https://cabforum.org/pipermail/public/2016-April/007335.html).
Did you mean to put another link there? That link is Jody writing about the hack of shoving IP addresses into DNS SANs because older Windows versions didn't grok IP address SANs. If Jody has written proclaiming that Microsoft (or its customers) "need" for everybody to allow these wildcards then I haven't seen it, and would appreciate a link. "Other CAs also issued such certificates" is a bit vague. Other CAs also issued certificates for "webmail" and "10.0.0.1" but they stopped, because the BRs prohibit those abuses. Or if you've got evidence that they haven't stopped I'm sure m.d.s.policy is a good place to mention that in a new thread. When _did_ another CA last issue one of these KB 258858 style wildcard certificates? A bit of ferreting around finds me a StartCom certificate from 2014, and a GoDaddy cert from 2009. These are ancient history in SSL terms. I did stumble onto horrors like https://crt.sh/?id=8066242 and https://crt.sh/?id=11547944 but mostly my searching for such shenanigans found me hilarious malware certs with CN=*.* reminding us why nobody legitimate would ever want to issue such things. Very thin gruel when it comes to current, unexpired, unrevoked certificates except for several issued to KPMG (Symantec's auditors) by Symantec. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
