Hi Paul, It is my understanding that it only represents a single label. See http://en.wikipedia.org/wiki/Wildcard_certificate. RFC 2818 contains some information. Kind regards, Erik From: "" <dmarc-noreply-outsider@xxxxxxxxxxxxx> (Redacted sender "paulej@xxxxxxxxxxxxxx" for DMARC) Sent: Tuesday, April 29, 2014 12:39 PM To: Erik Andersen; Directory list; SG17-Q11 Subject: Re: [T17Q11] Wildcard DNS name Erik, I have a question about this. Does the wildcard represent a single label or any number of labels? For example, would *.example.com <http://example.com> cover foo.bar.example.com <http://foo.bar.example.com> ? From what you've written, it sounds like it would not. Paul _____ From: Erik Andersen <era@xxxxxxx <mailto:era@xxxxxxx> > Sent: April 29, 2014 6:00:28 AM EDT To: Directory list <x500standard@xxxxxxxxxxxxx <mailto:x500standard@xxxxxxxxxxxxx> >, SG17-Q11 <T13sg17q11@xxxxxxxxxxxxx <mailto:T13sg17q11@xxxxxxxxxxxxx> > Subject: [T17Q11] Wildcard DNS name Hi, I have proposed the following text to end of the text of the proposed DNS name attribute type. A DNS name to be used as a name in a public-key certificate or in an attribute certificate shall be a fully-qualified domain name (FQDN), i.e., it shall identify a particular entity. A FQDN may have an asterisk ('*') as an additional leftmost label, which is a substitute (wildcard) for all labels of the next levels of subdomains of the domain identified by the FQDN without the asterisk. Please comment on whether such paragraph is useful, and if so, you might suggest a more elegant formulation. Regards, Erik