On Thu, Jul 08, 2021 at 01:52:42PM -0600, Peter Saint-Andre wrote:
> > So the sooner we can get rid of wildcard certificates entirely, the
> > better. They've outlived their usefulness.
>
> Jeff Hodges and I had hoped to push for deprecating wildcard certs when
> working on RFC 6125 10+ years ago, but the world wasn't ready for it
> then. Are we ready now? What would be the impact (postive and negative)
> of deprecating them?
Not surprisingly, I'd like to see that happen, but I don't know how we'd
get the users on board. The reasons to drop support are all technical,
but users tend to go for convenience, even when both less secure and
less reliable.
Can "the industry" (CAs, software vendors, ...) unite behind getting the
users to accept the right, but arguably less convenient, tradeoff?
With cert lifecycles increasingly automated and short-term, and manual
processes going away, this feels like almost the right time to try to
make the case, but it is likely still difficult.
--
Viktor.
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
