On Thu, Jul 08, 2021 at 06:52:15PM -0400, Ryan Sleevi wrote:
> > Can "the industry" (CAs, software vendors, ...) unite behind getting the
> > users to accept the right, but arguably less convenient, tradeoff?
>
> No. I think deprecating wildcards would be a bad outcome for users and for
> server operators.
>
> While I agree there are legitimate concerns about wildcards, I would not be
> supportive of trying to remove them, which was the same position shared
> years ago. The concerns being highlighted are things that I would prefer to
> be better addressed via ALPN and SRVNames, [...]
Yes, there are some use-cases in which wildcards are used correctly, and
many where they are carelessly misused. Perhaps it may suffice to more
strongly discourage such misuse.
For example, wildcards would be needed for Microsoft to support MTA-STS
for the various domains that are MX-hosted by *.mail.protection.outlook.com.
nist.gov. IN MX 0 nist-gov.mail.protection.outlook.com.
microsoft.com. IN MX 10 microsoft-com.mail.protection.outlook.com.
... a few hundred thousand more ...
These are spread over various data-centres, but just one wildcard cert
covers them all. The customer-specific prefix makes it possible to bias
particular customers to particular sites, or move them as needed.
--
Viktor.
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
