|
|
|
|
|
|
by grahamedgecombe
3604 days ago
|
|
|
CAs are forbidden from issuing a cert for * .co.uk. The Baseline Requirements say: > The CA MUST establish and follow a documented procedure that determines if the wildcard character occurs in the first label position to the left of a "registry-controlled" label or "public suffix" (e.g. "* .com", "* .co.uk", see RFC 6454 Section 8.2 for further explanation). This basically means that the CA should check the Public Suffix List before they issue a wildcard. As a 'just in case' measure, most modern browsers also reject certs where the wildcard is directly below something on the PSL. (sorry for the spaces after the asterisks, HN seemed to like converting big chunks of the post to italics) |
|
|
The Public Suffix list is an imperfect maintained list. You're relying on Mozilla to maintain it. You also never know if someone is selling names below their own zone. What if Mozilla decides to no longer maintain it? What if the volunteers stop maintaining it?
Maybe the PSL is a good start, but I would rather not rely on it. It's a convenience vs. security balance issue, and I'm leaning towards security.