> Certificates with subjectAltName extensions should be able to > replace wild card certificates, the question is what checks should > be applied to hostnames? > > Most banks and other large entities have a list of hostnames as long > as my arm for load balancing and other valid reasons, most often > look deceptive in my opinion, and almost phishing like in some > cases.
Host names like c1d3q2 are fine, but you shouldn't be allowed to use a well-known or registered trademark. If I read the Verisign CPS correctly, I would be able to obtain a EV certificate for citibank.enyo.de if I incorporated. Given that it's not too hard to set up a phony company, this undermines the purpose of EV certificates, doesn't it? After all, it's not about validation, it's about identification. _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
