undefined | Better HN

0 pointstasuki1y ago0 comments

No one is saying wildcard certificates should be mandatory. An old test box shouldn't have a wildcard certificate for sure.

Yours is not an argument against wildcard certificates! Yes, like, everything else ever, wildcard certificates can be misused.

0 comments

lxgr1y ago

Nobody is proposing to make them mandatory.

They were proposed here as an alternative to domain-restricted sub-CAs, but GP and me have given counterexamples as to why they're not (or at least not without downsides).

freedomben1y ago

You're arguing against a strawman (an argument that nobody is making).

> No one is saying wildcard certificates should be mandatory.

Nor am I saying they shouldn't ever be used.

You may interpret it differently, but to me:

> Why? As I understand it, the domain owner can assign the name you “trust” to any server already. Might as well trust all names by that domain owner.

Essentially means "default to a wildcard." My example is absolutely a good reason why you should not default to a wildcard. There are situations where they make good sense. I use them myself. It's a terrible idea to use them everywhere and always, which is usually what ends up happening when wildcard certs are the default approach.

j / k navigate · click thread line to collapse