DNS-Label for wildcard-certificate-validation

If this change is only introduced to ACME, isn't the difference somewhat academic/pointless?

A wildcard can, today, be legally be issued from other CAs just with the presence of a /.well-known/pki-validation/ resource on the root domain.

I agree that better controls should be possible, but practically speaking, unless the changes propagate to other CAs, the only difference in a new label is that an attacker has to spend $20 at a cheap wildcard vendor.

I feel it is slightly disingenuous to claim that LE is lowering security when they already have higher requirements for wildcard issuance than of other, equally trusted CAs.

2 Likes

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.