For some domains, we have specific subdomains on our ExactBlacklist, because issuing to that domain in general is not high risk, but certain subdomains are. When we enable wildcard issuance, we want to make sure that if foo.example.com is on ExactBlacklist, it's not possible to issue a wildcard certificate containing *.example.com. One idea for how to do this: When loading the high-risk domains list, additionally process the ExactBlacklist by removing the first label from each domain and adding them to a "WildcardExactBlacklist" map. The base domains for Wildcard issuances would be looked up in this map.
For some domains, we have specific subdomains on our ExactBlacklist, because issuing to that domain in general is not high risk, but certain subdomains are. When we enable wildcard issuance, we want to make sure that if
foo.example.comis on ExactBlacklist, it's not possible to issue a wildcard certificate containing*.example.com. One idea for how to do this: When loading the high-risk domains list, additionally process the ExactBlacklist by removing the first label from each domain and adding them to a "WildcardExactBlacklist" map. The base domains for Wildcard issuances would be looked up in this map.