On Wed, Apr 26, 2017 at 5:17 PM, okaphone.elektronika--- via
dev-security-policy <dev-security-policy@lists.mozilla.org> wrote:
> If this is about the possible consequences of compromise, then I'd say you
> should try to adres that. But please do come up with something that still
> allows for enough flexibility, so I can arrange the HTTPS everywhere you
> guys (browsers that is ;-) want so much. At least while there is only a
> single CA (LetsEncrypt) that offers an alternative for wildcards for a
> reasonable fixed price.

I'm not sure your concern - there's otherwise been broad support for
wildcards, only concerns related to the methods used to validate them to
ensure they're meaningful.

> After all the internet is also about variety isn't it? Seems to me there
> are not all that much CA's around... I do like the LetsEncrypt initiative
> but I also do hope they will not become the only choice. :-(
> I could live with wildcards that would only work for one DNS level for
> instance. Would that be an improvement?

They already only work for one DNS level, as a certificate. The
authorization the CA performs, however, lets them issue wildcards for any
number of subordinate subdomains - but only one wildcard in each, and each
certificate only covers a single hierarchy.

I realize that the conversation may be complex here, but I think it might
be best to simply assure you that your concerns are not misunderstood, but
more importantly, they are unwarranted, because no one is discussing
anything that would (negatively) impact the set of use cases you've
described so far. It's probably just a misunderstanding as to what's being
discussed and the subtlety of the validation points :)
dev-security-policy mailing list

Reply via email to