I've always figured it was just unwillingness on people to implement the work required for that to happen. Inertia.

The "wildcard" certs' relevant RFCs are worded such that * . * .example.com isn't valid; one of the relevant RFCs restricts you to only 1 star in the leftmost component, so two stars is invalid.

There's a thing that you can put into a cert called "name constraints" that does have a syntax that allows you to say ".example.com", which allows things such as "foo.bar.example.com". It's valid on CA certs (it's oddly only valid on CA certs), which means that you could get a cert that was a CA cert for just your domain, and all subdomains. It'd be incredibly useful.

But no CA that I know of will issue them. Of the major browsers, only Firefox supports them. The whole Lets Encrypt thing makes it mostly a moot point though, since with Lets Encrypt you'd just obtain a non-CA cert for each specific domain.

(It'd still be useful, I think, to see it implemented, if only for restricting CAs to certain public suffixes, when/if that's appropriate.)

I don't think that's a valid reason, because you can get a cert for * .com.example.com, hence you can have those domains.

Very good point.

It's not price segmentation. You can encrypt X hosts with a wildcard cert, and X can be any number. So you basically buy encryption at a flat price, which can save you a LOT of money.

Fair enough; maybe the term isn't correct. My point is that a wildcart cert is technically no different than a 'regular' cert, and the CA incurs in no extra cost, unlike with EV certs. The price difference is purely based on the fact that buyers who need wildcart certs tend to have larger budgets.

And then letsencrypt gives out free certs, but not wildcards, though their argument is more for securities sake.