1. ACME/WildCardCertificate

HTTPの世界のひとはDNSのことを知らないらしい。

https://en.wikipedia.org/wiki/Wildcard_certificate

証明書を取り扱う業者によっては wildcard certificatesは使わないように勧めている。

https://www.thawte.com/resources/pdfs/Thawte_Multiuse_SSL_WP.pdf

https://searchsecurity.techtarget.com/definition/wildcard-certificate

• Wildcard notation consists of an asterisk and a period before the domain name.

1.1. RFC

2818, 6125 https://tools.ietf.org/html/rfc6125#page-27 6.4.3. Checking of Wildcard Certificates

Only left-most labels, i.e. *.example.com but not www.*.com. 
  This implicitly excludes multiple wildcards like *.*.example.com.
A wildcard label can be matched only against a single label, 
  i.e. *.example.com will match www.example.com but not sub.www.example.com.
If the wildcard is not the full label (i.e. w*.example.com) it should not occur inside IDNA labels.

/6125

1.2. CAB

Baseline Requirements Certificate Policy for the Issuance and Management of Publicly-Trusted Certificates

https://cabforum.org/wp-content/uploads/Baseline_Requirements_V1_3_1.pdf

1.3. example

"*.example.com" は

    payment.example.com
    contact.example.com
    login-secure.example.com
    www.example.com

含まれない。(DNSとの違い)

test.login.example.com

Because the wildcard only covers one level of subdomains (the asterisk doesn't match full stops. (RFC2818)

この部分でRFCを持ち出すのもおかしいか。HTTPだからいいのか。-- ToshinoriMaeno 2019-01-26 11:33:27

1.4. limitations

Only a single level of subdomain matching is supported in accordance with RFC 2818

In addition, wildcards themselves can have subjectAltName extensions, including other wildcards.

https://www.tbs-certificates.co.uk/FAQ/en/320.html

• What are limitations of Wildcard or OmniDomain certificates?

The wildcard character only replaces characters from 0 to 9 and from A to Z and dash (equivalent to [0-9A-Za-z\-]+)

1.5. Examples

「正しいとはかぎらない」との断りがある。(DNSとかなり異なる)

The wildcard may appear anywhere inside a label (aka "partial-wildcard").

• DNS challenge validationを考えると、この主張は無理がある。-- ToshinoriMaeno 2019-01-26 15:04:21

Do not allow a label that consists entirely of just a wildcard unless it is the left-most label.　(というよりも、最初のラベルだけでしか使えない。)

A cert with multiple wildcards in a name is not allowed.

• "*.*.domain.com"

A cert with * plus a top-level domain is not allowed.

• "*.com"

Too general and should not be allowed.

• "*"

1.6. 実装

https://www.ssl.com/ssl-wildcard-certificates

browserがどう扱うかという問題もあるらしい。

Comodo : http://valuessl.net/ssl-certificate/comodo/comodopositivesslwildcard.php

JPRS: https://jprs.jp/pubcert/about/wildcard/

• フィーチャーフォンのブラウザからはワイルドカード証明書を設定したWebサイトを表示することができません。 複数階層のサブドメインには対応していない

digicert: https://dc.cybertrust.co.jp/ssl/wildcard-ssl-certificates.html

• DigiCert のワイルドカード証明書はコモンネームと同じドメインであれば、 Subject Alternative Names（サブジェクトの別名）を使用して、 コモンネームと異なる階層の FQDN を追加可能なため、「example.com」というドメイン名そのものや、「support.mail.example.com」のような別の階層の FQDN も 1 枚で利用可能です。

https://www.digicert.com/subject-alternative-name.htm

• 個別に追加することになる。(wildcardも可能か)

https://www.geotrust.co.jp › SSL/TLS入門ガイド

1.7. phishing

Wildcard SSL Certificates and Phishing: A Match Made in Heaven

Read more at: https://www.thesslstore.com/blog/wildcard-ssl-certificates-phishing-match-made-heaven/ https://www.thesslstore.com/blog/wildcard-ssl-certificates-phishing-match-made-heaven/

With a Wildcard certificate, the left-most label of the domain name is replaced with an asterisk.

There are restrictions on Wildcards that limit the scenarios they can be used in. There can only be one “*” and it must be in the left-most position. So, “www.*.secure.com” is not allowed. It also cannot be used directly after the TLD. So “*.com” is not allowed.

If a large proportion of phishing sites begin using Wildcard certificates instead of single-domain or multi-domain certificate it will make CT logs an ineffective detection systems.