SSL Wildcard and SSL Changes in a Majority of Web Browsers

[web...@gmail.com]

There have been a lot of changes in the way all browsers handle SSL certs. Are wildcard certs next on the chopping block?

I supposed a lot of the changes have came from other forums and such, but I figured this list would have some idea.

[Ryan Sleevi]

No.

Wildcard certs are an important and valuable part of the Web PKI. Google has been supportive in the CA/Browser Forum of expanding the support of wildcard certificates to include EV certificates as well.

In general, discussion about changes to the Web PKI happen:

- In the CA/Browser Forum initially, to solicit wide feedback from CAs on the potential implications and complications

- Within mozilla.dev.security.policy, which provide a forum that allows the public to comment on changes and implications (which the CA/Browser Forum does not permit) and collaborative development amongst browser vendors

- And, should a change be made to deprecate or remove something, on blink-dev@, in the context of an "Intent to Deprecate and Remove" (if removing support for a feature)

In general, the CA/Browser Forum governs what CAs can or cannot issue. mozilla.dev.security.policy similarly reflects discussions related to policies on CA's permitted and unpermitted actions. blink-dev@ represents collaborations on what is supported and not-supported - independent of whether or not a CA is permitted to issue such certificates.

To give a finer point on this - CAs are permitted to issue all manner of certificates with different EKUs, while Chromium only trusts a limited subset of those for purposes of SSL/TLS authentication (namely, id-kp-serverAuth, the any EKU, or lacking an EKU extension entirely).

Does that help address the question?

[Vincent Lynch]

Hi,

As far as I am aware, none of the browsers (or the CAB Forum) is actively considering the removal of wildcard certificates. 

My personal opinion, based on regularly reading this forum and the CABF public list, is that the browsers do not consider wildcards to be an issue in the web PKI. 

In fact, Mozilla recently discussed a similar topic and the consensus was that there was no issue with wildcard certs:

https://groups.google.com/d/msg/mozilla.dev.security.policy/offyyzis9Yk/l8ieeMkxEAAJ

On Fri, May 19, 2017 at 11:24 AM, <web...@gmail.com> wrote:

There have been a lot of changes in the way all browsers handle SSL certs.  Are wildcard certs next on the chopping block?

I supposed a lot of the changes have came from other forums and such, but I figured this list would have some idea.

--
You received this message because you are subscribed to the Google Groups "Security-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to security-dev+unsubscribe@chromium.org.

--

Vincent Lynch