My idea isn't fully formed yet, but... Wildcard certs are more risky than normal certs since the CA doesn't know exactly what they are securing. All they know is the secured base level domain. Therefore, I think the public has a strong interest in knowing when a wildcard cert was issued v. a standard FQDN cert. However, I'm not sure there's much more risk to end certificate requester - they still know everything that's been issued for their domain. It certainly doesn't make life easier for the CT operator or CA, but it gives important information to the relying parties looking at certs. If they look up a cert in the CT log, they'll be able to easily identify if the entire domain is secured by the same, logged cert.
Jeremy -----Original Message----- From: Trans [mailto:[email protected]] On Behalf Of Daniel Kahn Gillmor Sent: Friday, January 30, 2015 3:07 PM To: trans Subject: Re: [Trans] [trans] #54 (rfc6962-bis): Simplify name redaction On Fri 2015-01-30 15:40:38 -0500, Jeremy Rowley wrote: > Although I just realized you're probably wondering if you can > substitute "?" of "*" - so *.example.com would become ?.example.com. > > It's a good question. I think there's real value in knowing whether a > wildcard cert was issued over a non-wildcard. I'd actually like the > rfc to say you can't substitute ? for a wildcard character as you're > essentially substituting ? for an unlimited number of based domain > names. But isn't that kind of the point? If i control foo.example, and i'm monitoring the logs to make sure no one impersonates anything in my zone (including the apex), then i'm looking for all of the following literal matches as suffixes: foo.example ?.example *.example In particular, of course, i'm looking for entries in the logs that are associated with public keys not under my control (i can ignore my own entries). Note that the first entry there also covers literal strings like: ?.foo.example *.foo.example If i find anything in the logs matching those suffixes, i know that my domain name may have been hijacked, because a matching form could be there. It wouldn't matter to me whether it was being hijacked by someone with a cert that says "foo.example" instead of "*.example", or "*.foo.example" instead of "www.foo.example" -- either one is sufficient to raise an alarm, and (because of the redaction) i wouldn't know if "?.foo.example" was issued to "www.foo.example" or "bar.foo.example" anyway. I still don't see why we shouldn't allow redaction of a wildcard label. What does this restriction defend against? how does it make life easier or better for any of the players in the CT ecosystem? --dkg _______________________________________________ Trans mailing list [email protected] https://www.ietf.org/mailman/listinfo/trans
