> From: owner-openssl-us...@openssl.org On Behalf Of Charles Mills > Sent: Wednesday, 24 October, 2012 19:11 > > Nor does *.domain.com work for domain.com, correct? > Right. Which is why many (most?) public CAs when you request wildcard issue SubjAltNames containing two entries domain.com and *.domain.com . Many I have looked at spend 3 or 10 huge web pages explaining how this is such a wonderful feature you should be thrilled to pay for, when it costs them zero and is a trivial workaround immediately obvious to anyone with an IQ above room temperature. But then basically all consumer products nowadays are marketed that way.
> Just out of curiosity, do you perceive a trust constrain[t] > there (for any real-world situation)? > No, same reasoning -- they've checked you control domain.com . The wildcard standard just didn't include this case. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
