Talk:Wildcard certificate

Misleading Analogy
DNA is a lot harder to spoof than DNS, making this analogy give non-technical users more confidence in wildcard binding than it ought to. I suggest a change to last name rather than DNA, which would give a more appropriate impression -- especially if combined with a note on the possibility of forging birth certificates or similar. — Preceding unsigned comment added by 128.154.202.19 (talk) 18:14, 25 April 2016 (UTC)

Renamed
I renamed Wildcard SSL certificate to a better (more general) name Wildcard certificate. A wildcard certificate can be used for other ways then Secure Sockets Layer (SSL). For example Transport Layer Security (TLS). --FlippyFlink (talk) 21:45, 13 November 2011 (UTC)

The specification or the Standard
which file defines the specification or the standard? how is it made? Jackzhp (talk) 00:34, 3 January 2013 (UTC)

???
This article is nothing but technical gobbledygook that has no meaning to nonexperts. — Preceding unsigned comment added by 184.147.137.3 (talk) 12:55, 28 May 2014 (UTC)
 * Flagged for editing. Thanks for the feedback meteor_sandwich_yum (talk) 23:55, 3 July 2014 (UTC)
 * Eh, the whole subject is so extremely special and "technical" that I doubt it would be even possible or desirable to make it understandable to "non-technical" readers? I mean, what average Joe from the street needs to understand what Wildcard certificates are?
 * The article isn't especially technical, but the analogy of a notary public is cumbersome and falls down badly. A better analogy would be, if your sister's husband's cousin is six feet tall, obviously you like butter. Bonehed (talk) 15:11, 10 February 2016 (UTC)

First paragraph does easily mislead, is inaccurate and outdated
The first paragraph is outdated, inaccurate by today and can also be easily read in a misleading way. Before replacing a "first paragraph" with a cite by some own text, I'd like to discuss it first.

My suggestion for the first paragraph
In Transport Layer Security, a public key certificate is restricted to a list of one or more fully qualified domain names. A wildcard certificate is less restricted and can be used for any subdomain of one or multiple domains ("*.wikipedia.org", "*.wikimedia.org").

Discussion of the current paragraph
"a wildcard certificate is a public key certificate which can be used with multiple subdomains of a domain"

Since the introduction of Subject Alternative Names in 2008, every certificate may be valid for a multiple subdomains. So it doesn't take a wildcard certificate to "be used with multiple subdomains of a domain": any certificate may also contain multiple Subject Alternative Names and so can be used for multiple subdomains of a domain.

The important difference is: a wildcard certificate can also be used with any unspecified subdomain of a specified domain, but is not limited to any specified subdomains of the specified domain.

As a result of this phrase, a reader may ask for a wildcard certificate where a certificate for a limited set of subject alternative names is sufficient and more sensible (from a security point of view).

The exact wording may also be misleading. Only if the reader is fully aware of the differences between a domain and a domain name and the difference of a subdomain and a subzone, the first line is read with a correct understanding.

Even when I'm just sticking to RFCs and Wikipedia, the descriptions for "hostname", "subdomain", "domain" and "DNS label" are very close to each other and may be hard to tell apart for the average reader. On the other hand, the differences between "domain" and "domain name", "subdomain" and "sub zone" may be much more important, but have been blurred fairly well by DNS providers, domain registrars and webhosting companies.

The line

"Compared with conventional certificates, a wildcard certificate can be cheaper and more convenient than a certificate for each domain."

is also outdated as well: Certificate Authorities nowadays do typically permit up to 100 Subject Alternative Names per certificate, sometimes more on request - so there's no reason to issue multiple certificates if a single certificate does do the job as well. Some CAs do charge per Subject Alternative Name, others do not - so the point of "cheaper" heavily depends on the exact Certificate Authority and tariff model being used.

However, when one is using very many (>100) Subject Alternative Names, the resulting certificate may become too large to be processed successfully on certain devices and so run in trouble.

Another point on this quote:

"Compared with conventional certificates, a wildcard certificate can be cheaper and more convenient than a certificate for each domain."

While a wildcard certificate may be convenient, it also can have a severe impact on security. When a wildcard certificate has been issued for a domain, any other (possibly existing) certs for other subdomains within the same domain are still valid and may be impersonated by the wildcard certificate.

Both aspects (cheap or the same, impact on security) may be important, but also completely a non-issue to the average user - so I'd rather drop the saying of that paragraph's last line.

Istalix (talk) 18:14, 25 August 2015 (UTC)

Wildcard certificates include subdomains only, or also domains?
The article is quite ambiguous about whether a single wildcard certificate applies only to one domain and its subdomains, or to multiple domains and their subdomains. Since I don't know the answer, WP has let me down here. David Spector (talk) 15:21, 2 September 2020 (UTC)