Talk:Wildcard certificate

This article is rated Start-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects:

Cryptography: Computer science This article is within the scope of WikiProject Cryptography, a collaborative effort to improve the coverage of Cryptography on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks. ??? This article has not yet received a rating on the importance scale. This article is supported by WikiProject Computer science. Computing: Websites This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks. ??? This article has not yet received a rating on the project's importance scale. This article is supported by WikiProject Websites. This article is supported by WikiProject Computer Security. Things you can help WikiProject Computer Security with: edit history watch purge Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information... Answer question about Same-origin_policy Review importance and quality of existing articles Identify categories related to Computer Security Tag related articles Identify articles for creation (see also: Article requests) Identify articles for improvement Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc. Find editors who have shown interest in this subject and ask them to take a look here.

Misleading Analogy

Latest comment: 8 years ago1 comment1 person in discussion

DNA is a lot harder to spoof than DNS, making this analogy give non-technical users more confidence in wildcard binding than it ought to. I suggest a change to last name rather than DNA, which would give a more appropriate impression -- especially if combined with a note on the possibility of forging birth certificates or similar. — Preceding unsigned comment added by 128.154.202.19 (talk) 18:14, 25 April 2016 (UTC)Reply

Renamed

Latest comment: 12 years ago1 comment1 person in discussion

I renamed Wildcard SSL certificate to a better (more general) name Wildcard certificate. A wildcard certificate can be used for other ways then Secure Sockets Layer (SSL). For example Transport Layer Security (TLS). --FlippyFlink (talk) 21:45, 13 November 2011 (UTC)Reply

The specification or the Standard

Latest comment: 11 years ago1 comment1 person in discussion

which file defines the specification or the standard? how is it made? Jackzhp (talk) 00:34, 3 January 2013 (UTC)Reply

???

Latest comment: 8 years ago3 comments3 people in discussion

This article is nothing but technical gobbledygook that has no meaning to nonexperts. — Preceding unsigned comment added by 184.147.137.3 (talk) 12:55, 28 May 2014 (UTC)Reply

Flagged for editing. Thanks for the feedback   meteor_sandwich_yum (talk) 23:55, 3 July 2014 (UTC)Reply

Eh, the whole subject is so extremely special and "technical" that I doubt it would be even possible or desirable to make it understandable to "non-technical" readers? I mean, what average Joe from the street needs to understand what Wildcard certificates are?

The article isn't especially technical, but the analogy of a notary public is cumbersome and falls down badly. A better analogy would be, if your sister's husband's cousin is six feet tall, obviously you like butter. Bonehed (talk) 15:11, 10 February 2016 (UTC)Reply

First paragraph does easily mislead, is inaccurate and outdated

Latest comment: 8 years ago1 comment1 person in discussion

The first paragraph is outdated, inaccurate by today and can also be easily read in a misleading way. Before replacing a "first paragraph" with a cite by some own text, I'd like to discuss it first.

My suggestion for the first paragraph

In Transport Layer Security, a public key certificate is restricted to a list of one or more fully qualified domain names. A wildcard certificate is less restricted and can be used for any subdomain of one or multiple domains ("*.wikipedia.org", "*.wikimedia.org").

Discussion of the current paragraph

"a wildcard certificate is a public key certificate which can be used with multiple subdomains of a domain"^[1]

Since the introduction of Subject Alternative Names in 2008, every certificate may be valid for a multiple subdomains. So it doesn't take a wildcard certificate to "be used with multiple subdomains of a domain": any certificate may also contain multiple Subject Alternative Names and so can be used for multiple subdomains of a domain.

The important difference is: a wildcard certificate can also be used with any unspecified subdomain of a specified domain, but is not limited to any specified subdomains of the specified domain.

As a result of this phrase, a reader may ask for a wildcard certificate where a certificate for a limited set of subject alternative names is sufficient and more sensible (from a security point of view).

The exact wording may also be misleading. Only if the reader is fully aware of the differences between a domain and a domain name and the difference of a subdomain and a subzone, the first line is read with a correct understanding.

Even when I'm just sticking to RFCs and Wikipedia, the descriptions for "hostname", "subdomain", "domain" and "DNS label" are very close to each other and may be hard to tell apart for the average reader. On the other hand, the differences between "domain" and "domain name", "subdomain" and "sub zone" may be much more important, but have been blurred fairly well by DNS providers, domain registrars and webhosting companies.

The line

"Compared with conventional certificates, a wildcard certificate can be cheaper and more convenient than a certificate for each domain."^[2]

is also outdated as well: Certificate Authorities nowadays do typically permit up to 100 Subject Alternative Names per certificate, sometimes more on request - so there's no reason to issue multiple certificates if a single certificate does do the job as well. Some CAs do charge per Subject Alternative Name, others do not - so the point of "cheaper" heavily depends on the exact Certificate Authority and tariff model being used.

However, when one is using very many (>100) Subject Alternative Names, the resulting certificate may become too large to be processed successfully on certain devices and so run in trouble.

Another point on this quote:

"Compared with conventional certificates, a wildcard certificate can be cheaper and more convenient than a certificate for each domain."^[3]

While a wildcard certificate may be convenient, it also can have a severe impact on security. When a wildcard certificate has been issued for a domain, any other (possibly existing) certs for other subdomains within the same domain are still valid and may be impersonated by the wildcard certificate.

Both aspects (cheap or the same, impact on security) may be important, but also completely a non-issue to the average user - so I'd rather drop the saying of that paragraph's last line.

Istalix (talk) 18:14, 25 August 2015 (UTC)Reply

References

1. Hendric, William (17 January 2008). "Wildcard SSL Certificate Explained". SSL Certificate Provider. Retrieved 17 February 2015.
2. Hendric, William (17 January 2008). "Wildcard SSL Certificate Explained". SSL Certificate Provider. Retrieved 17 February 2015.
3. Hendric, William (17 January 2008). "Wildcard SSL Certificate Explained". SSL Certificate Provider. Retrieved 17 February 2015.

Wildcard certificates include subdomains only, or also domains?

Latest comment: 3 years ago1 comment1 person in discussion

The article is quite ambiguous about whether a single wildcard certificate applies only to one domain and its subdomains, or to multiple domains and their subdomains. Since I don't know the answer, WP has let me down here. David Spector (talk) 15:21, 2 September 2020 (UTC)Reply