On 24/11/17 11:37, Rob Stradling wrote: > When issuing a "single domain" certificate to (for example) > www.example.com or *.example.com, it's fairly common practice for CAs to > also include in the certificate a SAN.dNSName for the "base domain" > (e.g., example.com). (Similarly, if the certificate request is for > example.com, some CAs will add a SAN.dNSName for www.example.com).
IMO these two processes are not at all "similar". Validate example.com -> add "www.example.com": seems fine to me, and a reasonable accommodation to a common customer desire. Validate www.example.com -> add "example.com": not at all fine. Validate *.example.com -> add "example.com": still dodgy IMO. I seem to remember we have come across this before, and I thought we said it was not to be done. But perhaps that didn't make it into our policy. Do we need to add it? Gerv _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
