Accept any wildcard certificate

[wereHamster]

The validator should not make any judgement about the validity of a wildcard name in the certificate. As long as the the certificate is syntactically well-formed and the user trusts the trust anchor, the certificate should be accepted.

The powers that be were consulted on that matter, here are excerpts from the discussion:

There are valid wildcard certs out there for .psl.tld. The CAB Forum Baseline Requirements require that the PSL be checked and taken note of but - for good reason - do not prohibit issuance to .psl.tld. There are some circumstances, particularly for the PRIVATE part of the list, where such a cert is entirely reasonable.

and

.amazon is a perfectly valid cert. As is .appspot.com, even thought appspot.com is in the PSL.

(PSL: publicsuffix list)

[wereHamster]

Uhm, I'd appreciate some feedback. Any feedback in fact..

[vincenthz]

TBH, i'm not sure what to do with the PSL.

"... PSL be checked and taken note of but - for good reason - do not prohibit issuance to *.psl.tld"

what does that mean in practice ? Who is suppose to check and take note / what to do ?

[wereHamster]

A CA will issue a certificate as long as you can prove that you are the owner of the domain. I can imagine they have stricter checks in place for domains in the PSL (similar to the additional checks that are in place when you request an EV cert). The (HTTPS) client shouldn't care at all about the domains in the certificate as long as its trust anchor is trusted. I don't think Chrome or Firefox show a warning when they encounter such a certificate, let alone reject it.

[vincenthz]

I think you're right. I've checked out a similar change now that keep the * is invalid behavior.

Thanks for your patience with this; I've dropped the ball solving the issue quickly enough.