On Tue, Apr 29, 2025 at 03:57:14PM +0000, Salz, Rich wrote:
> The wildcards as defined in 6125 are more tightly constrained/defined
> in 9125. They were a novelty back then, and are commonplace now, such
> that the advice of 6125 – avoid them unless you have a need – is
> *inverted* in 9125 which says that an application MAY not support
> them, if so defined (sec 3), so yes, 9125 recommends support.
>
> I think this is a good idea and support the change.
>
> I am a co-author if 9125.
And yet, they're still best avoided, unless there a good reason to
support them. The security story with wildcards is all bad news,
cross-application protocol attacks, redirects to the wrong host,
single-point of failure on rollover, ... And with free ACME
certs, or for TACACS likely issued by an internal CA, there's little
good reason to want a wildcard cert.
Is in fact a good reason in this case? Or this just a needless
concession to sloppy practice?
--
Viktor.
--
last-call mailing list -- last-call@xxxxxxxx
To unsubscribe send an email to last-call-leave@xxxxxxxx
