Security
Security
Breadcrumbs

Wildcard Usage Policy

  • ENS (Royal Decree 311/2022)

    • Minimum requirement "Minimum privilege" (art. 20) and its operational translation [op.acc.4] in Annex II: limiting privileges (and by analogy, the scope of credentials/keys) to what is strictly necessary. This is the basis for not accepting certificates with excessive scope. BOE

    • Protection of communications in Annex II ([mp.com.2] confidentiality and [mp.com.3] integrity and authenticity): requires well-configured TLS and robust identity verification (matching the certificate name with the service). BOE

  • IETF — RFC 9525 “Service Identity in TLS (obsolete RFC 6125)”

    • Establishes that clients validate the identity of the server against the certificate identifiers (SAN: DNS-ID/IP/SRV/URI). Recommends requesting certificates with “as few identifiers as necessary to identify a single service”; if multiple services are handled, multiple certificates are better than a “one-size-fits-all” one. Also restricts the use of wildcards to the leftmost label. All of this supports requiring specific FQDNs per environment/service and avoiding broad wildcards. rfc-editor.org+1

  • NIST SP 800-52r2 (TLS)

    • Official TLS configuration guide: server authentication via its certificate and name validation in Subject Alternative Name (SAN); basis for requiring the certificate to cover exactly the host you are connecting to. NIST Publicationscsrc.nist.rip

  • NIST SP 800-57 Pt.1 Rev.5 (key management)

    • To limit the impact of a possible leak, recommends using different keys for different purposes and limiting the amount of information/services protected by a single key. A *.cliente.com wildcard typically reuses the same key across many subdomains, increasing the “blast radius”. NIST Publications

  • OWASP TLS Cheat Sheet

    • Use Correct Domain Names”: the FQDN must be in SAN and must exactly match the destination.

    • Carefully Consider the use of Wildcard Certificates”: wildcards must be used with great caution and not to cover zones with different trust levels.

    • Client Certificates and mTLS”: when applicable, mutual TLS for mutual authentication. cheatsheetseries.owasp.org

  • CA/Browser Forum — Baseline Requirements (v2.1.6)

    • Section 3.2.2.6 Wildcard Domain Validation: regulates and restricts the issuance of wildcards (e.g., prohibited in public suffixes). These are not exactly our cases, but it shows that the industry already limits and treats with special care wildcards, supporting the stance of limiting the scope. CA/Browser Forum