Re: clarifications needed re safe form editor cert matching algorithm from Ian Fette on 2007-10-11 (public-wsc-wg@w3.org from October 2007)

From: Ian Fette <ifette@google.com>
Date: Thu, 11 Oct 2007 14:43:02 -0700
To: "Close, Tyler J." <tyler.close@hp.com>
Cc: public-wsc-wg@w3.org
Message-ID: <bbeaa26f0710111443h405a2f42q98db5b37280f689e@mail.gmail.com>
I guess my confusion was as to why you said to load BoA in IE7. As for how
widespread they are - I'd say it's moderate. I.e. if you look at CAs who
sell 3-in-1 certs or 6-in-1 certs (for instance, godaddy), that's
accomplished by subject alt name extension. I don't believe it to be the
case that "most" sites use certs with this extension, but I do believe it to
still be common.

As for IE7 - I have a VMWare instance with IE7 installed, but for some
reason it's not letting me log in - some error about not being able to
contact the active directory domain controller, or the computer account not
being found. Pain in the butt, I'll get that image re-added to the directory
(perhaps with a different ID), but for now I am without IE7. And more than
me installing IE7, I'd love to get some blue badgers in here to actually
comment on the feasibility of MSFT ever implementing half of what we're
talking about, even if it's off the record.

-Ian

On 10/11/07, Close, Tyler J. <tyler.close@hp.com> wrote:
>
>  Ian, I said I was going to investigate and make a proposal. It's not my
> intent to break the eBay site because they use a certificate feature that
> BofA does not. I'd hope that much would be obvious.
>
> I was asking about the prevalence of the alt names to get an idea of how
> much we can rely on that feature. For example, if, hypothetically, alt names
> were widespread, they might provide a better matching algorithm than step 4
> of the algorithm I am currently proposing.
>
> I suggest you get setup with a copy of IE7 in order to better participate
> in this WG. Last I checked, IE had significant share in the market we're
> looking to set standards in.
>
> Not having so much fun now. Ah well.
>
> --Tyler
>
>  ------------------------------
> *From:* Ian Fette [mailto:ifette@google.com]
> *Sent:* Thursday, October 11, 2007 2:08 PM
> *To:* Close, Tyler J.
> *Cc:* public-wsc-wg@w3.org
> *Subject:* Re: clarifications needed re safe form editor cert matching
> algorithm
>
> bankofamerica.com does not use an alt-name. What's the point? (And for
> those of us who aren't using IE7, I'm assuming you just get a common name
> mismatch error, or what?) if eBay uses it, then I think you need to be
> worried about breaking it.
>
> On 10/11/07, Close, Tyler J. <tyler.close@hp.com> wrote:
> >
> >  Perhaps there's some way to finesse this part of the algorithm by
> > reference to RFC 2818. I'll work on it.
> >
> > Many sites don't seem to be using this cert feature. For a fun example,
> > visit the following URL using IE7.
> >
> > https://bankofamerica.com/
> >
> > --Tyler
> >
> >  ------------------------------
> > *From:* Ian Fette [mailto:ifette@google.com]
> > *Sent:* Thursday, October 11, 2007 12:48 PM
> > *To:* Close, Tyler J.
> > *Cc:* public-wsc-wg@w3.org
> > *Subject:* Re: clarifications needed re safe form editor cert matching
> > algorithm
> >
> >  It is in huge use. For example. if you go to https://signin.ebay.comand look at the cert - the CN is
> > signin.ebay.com but the certificate subject alt name lists:
> >
> > Not Critical
> > DNS Name: signin.cafr.ebay.ca
> > DNS Name: signin.ebay.ca
> > DNS Name: signin.ebay.com.au
> > DNS Name: signin.ebay.com.cn
> > DNS Name: signin.express.ebay.com
> > DNS Name: signin.half.ebay.com
> > DNS Name: signin.liveauctions.ebay.com
> > DNS Name: signin.shopping.ebay.com
> > DNS Name: signin.tw.ebay.com
> > DNS Name: signin.ebay.com
> >
> > and if you go to https://signin.ebay.de you again get a cert with CN=signin.ebay.combut alt names of:
> > Not Critical
> > DNS Name: signin.befr.ebay.be
> > DNS Name: signin.benl.ebay.be
> > DNS Name: signin.ebay.at
> > DNS Name: signin.ebay.be
> > DNS Name: signin.ebay.co.uk
> > DNS Name: signin.ebay.de
> > DNS Name: signin.ebay.es
> > DNS Name: signin.ebay.fr
> > DNS Name: signin.ebay.ie
> > DNS Name: signin.ebay.nl
> > DNS Name: signin.express.ebay.co.uk
> > DNS Name: signin.ebay.com
> >
> >
> > So yeah, it's important.
> > On 10/11/07, Close, Tyler J. <tyler.close@hp.com> wrote:
> > >
> > >
> > >
> > >
> > > Thomas Roessler wrote:
> > > > going through the matching algorithm while folding it in...
> > > >
> > > > - The current language confuses attributes and fields.  I suspect
> > > >   that you mean the various attributes of the Subject certificate
> > > >   field.  Please confirm.
> > >
> > > The CN, O, L, ST and C values I refer to are the ones in the set
> > > referred to by the Subject field in the end entity certificate. Not
> > > sure
> > > how to be any more specific about this in PKIXese.
> > >
> > > > - I notice that you have some rules that concern matching the CN
> > > >   attribute, but none concerning subjectAltName.  I'm happy to
> > > >   simply track this point as an issue.
> > >
> > > Could you point me to a document covering the semantics of
> > > subjectAltName? Is it in use in X.509 certs on the Web?
> > >
> > > > Also, I'll open an issue to track the "PKI orthodoxy" remarks that
> > > > Hal had made at the face-to-face, and will link to that issue from
> > > > the draft.
> > >
> > > Thanks,
> > > --Tyler
> > >
> > >
> >
>
Received on Thursday, 11 October 2007 21:43:42 UTC