在 CA/Browser Forum 三月底的會議記錄裡看到了關於 wildcard ssl certificate 的一些討論,還蠻有趣的:「2016-03-31 Minutes」。
主要是第五條的記錄,在討論更廣泛的 wildcard 用法。首先是 Microsoft 對 ww*.example.com
這種 domain 的認定:
Rick said there was a Microsoft tech note that allows ww*.example.com. Jody confirmed the platform supports it.
但有爭論,而且目前看起來暫時沒有打算要實作:
Rick suggested the BRs be updated to include that. Ryan said that is not a good thing as there are multiple specs that treat this differently and historical context which would make it hard for Google to support such a ballot. Kirk asked why Peter put this in the ballot. He responded that this was raised in the past where people found a discrepancy in relation to other docs. However, given there was not consensus, he would remove from the proposed ballot. Ryan said there is a need for clarification because CAs seem to be interpreting this differently. Peter said he would create a new definition called “wildcard domain name” with an exact definition to avoid confusion and add clarity. Rick said that ideally Microsoft should remove that functionality and update the tech notes. Jody said he would need to consult with his expert on this. Peter said the goal of this ballot was to make it a “consensus” ballot and would remove anything controversial.
看起來還沒有完全定下來,之後的會議記錄可以再看看進展。這對安全性也頗有幫助,舉例來說,我就可以針對不同的服務發不同的 wildcard ssl certificate,像是 test-*.example.com
這樣,而不用另外再建立機制避免 private key 的外流。