Re: [certid] open issue: wildcards in component fragments

[Peter Saint-Andre <stpeter@stpeter.im>]

On 10/13/10 3:39 PM, =JeffH wrote:
>> Note that at least two technology communities have forbidden wildcard
>> certificates:
>>
>> 1. RFC 5992 forbids wildcard certificates in the SIP community.
>>
>> 2. The CA/Browser Forum doesn't allow issuance of wildcard certificates
>> under its "Extended Valuation Certificates" profile.
>>
>> So there is some precedent for forbidding wildcard certificates. Is that
>> a best current practice? Should this I-D state that wildcard
>> certificates (of whatever variety) are NOT RECOMMENDED?
> 
> 
> I'm thinking that the latter is the way to go wrt wildcards. RFC2119 sez..
> 
> 4. SHOULD NOT   This phrase, or the phrase "NOT RECOMMENDED" mean that
>    there may exist valid reasons in particular circumstances when the
>    particular behavior is acceptable or even useful, but the full
>    implications should be understood and the case carefully weighed
>    before implementing any behavior described with this label.
> 
> ..which certainly sounds reasonable for this situation.
> 
> Our working copy of -tls-server-id-check (which are trying to pub by end
> of this week) has further clarifications wrt the spec's not outright
> forbidding current practice and various other current specifications,
> thus present wildcard use does not necessarily conflict with such a "NOT
> RECOMMENDED" stance. Plus such a stance aligns better with the EV
> Guidelines, RFC5992, and perhaps other specs going forward.

Jeff and I have been thinking about this independently today, and it
seems we're going in the same direction. Following Martin Rex's argument
to its logical conclusion has led me to believe that wildcards deserve
to be NOT RECOMMENDED in a best current practice document.

Peter

-- 
Peter Saint-Andre
https://stpeter.im/