Florian Weimer wrote: > Personally, I think that in order to make a difference, EV > certificates must verify not only that the certificate holder is in > control of embedded domain names (the usual EV CPS is basically > equivalent to domain-control certificates in this area), but also that > the certificate holder has got all the relevant trademark rights. > Wildcard certificates would probably have to go, too.
Certificates with subjectAltName extensions should be able to replace wild card certificates, the question is what checks should be applied to hostnames? Most banks and other large entities have a list of hostnames as long as my arm for load balancing and other valid reasons, most often look deceptive in my opinion, and almost phishing like in some cases. -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://e164.org - Because e164.arpa is a tax on VoIP "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
